1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\sembako-dezjkkg.exe\""	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\sembako-dezjkkg.exe\""	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\sembako-dezjkkg.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\sembako-dezjkkg.exe\""	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\sembako-dezjkkg.exe\""	lsass.exe

Modifies visibility of file extensions in Explorer 2 TTPs 5 IoCs

Hidden Files and Directories

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 5 IoCs

Hidden Files and Directories

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe

Disables RegEdit via registry modification 10 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe

Disables cmd.exe use via registry modification 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	services.exe

Executes dropped EXE 4 IoCs

pid	Process
2036	smss.exe
1428	winlogon.exe
868	services.exe
1988	lsass.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif	smss.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif	smss.exe

Loads dropped DLL 8 IoCs

pid	Process
1940	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
1940	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
2036	smss.exe
2036	smss.exe
2036	smss.exe
2036	smss.exe
2036	smss.exe
2036	smss.exe

Adds Run key to start application 2 TTPs 21 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus-degkknry = "\"C:\\Windows\\ShellNew\\bbm-yrnkkged.exe\""	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Runonce = "C:\\Windows\\system32\\runouce.exe"	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus-degkknry = "\"C:\\Windows\\ShellNew\\bbm-yrnkkged.exe\""	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus-1464 = "\"C:\\Users\\Admin\\AppData\\Local\\br3951on.exe\""	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus-degkknry = "\"C:\\Windows\\ShellNew\\bbm-yrnkkged.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus-1464 = "\"C:\\Users\\Admin\\AppData\\Local\\br3951on.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus-1464 = "\"C:\\Users\\Admin\\AppData\\Local\\br3951on.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus-degkknry = "\"C:\\Windows\\ShellNew\\bbm-yrnkkged.exe\""	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus-1464 = "\"C:\\Users\\Admin\\AppData\\Local\\br3951on.exe\""	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus-1464 = "\"C:\\Users\\Admin\\AppData\\Local\\br3951on.exe\""	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus-degkknry = "\"C:\\Windows\\ShellNew\\bbm-yrnkkged.exe\""	winlogon.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\cmd-bro-kkx.exe	services.exe
File created	C:\Windows\SysWOW64\sistem.sys	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	winlogon.exe
File created	C:\Windows\SysWOW64\DXBLBM.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	services.exe
File opened for modification	C:\Windows\SysWOW64\cmd-bro-kkx.exe	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File created	C:\Windows\SysWOW64\runouce.exe	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File opened for modification	C:\Windows\SysWOW64\runouce.exe	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File opened for modification	C:\Windows\SysWOW64\cmd-bro-kkx.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\cmd-bro-kkx.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Admin's Setting.scr	smss.exe
File opened for modification	C:\Windows\SysWOW64\DXBLBM.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\sistem.sys	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\cmd-bro-kkx.exe	lsass.exe
File created	C:\Windows\SysWOW64\cmd-bro-kkx.exe	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File created	C:\Windows\SysWOW64\Admin's Setting.scr	smss.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ShellNew\bbm-yrnkkged.exe	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File created	C:\Windows\sembako-dezjkkg.exe	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File opened for modification	C:\Windows\sembako-dezjkkg.exe	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File opened for modification	C:\Windows\ShellNew\bbm-yrnkkged.exe	winlogon.exe
File opened for modification	C:\Windows\sembako-dezjkkg.exe	winlogon.exe
File opened for modification	C:\Windows\ShellNew\bbm-yrnkkged.exe	lsass.exe
File opened for modification	C:\Windows\sembako-dezjkkg.exe	lsass.exe
File created	C:\Windows\ShellNew\bbm-yrnkkged.exe	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
File opened for modification	C:\Windows\ShellNew\bbm-yrnkkged.exe	smss.exe
File opened for modification	C:\Windows\sembako-dezjkkg.exe	smss.exe
File opened for modification	C:\Windows\ShellNew\bbm-yrnkkged.exe	services.exe
File opened for modification	C:\Windows\sembako-dezjkkg.exe	services.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1940	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
2036	smss.exe
1428	winlogon.exe
868	services.exe
1988	lsass.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 1940	900	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe	27
PID 900 wrote to memory of 1940	900	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe	27
PID 900 wrote to memory of 1940	900	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe	27
PID 900 wrote to memory of 1940	900	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe	27
PID 900 wrote to memory of 1192	900	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe	16
PID 900 wrote to memory of 1192	900	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe	16
PID 1940 wrote to memory of 240	1940	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe	28
PID 1940 wrote to memory of 240	1940	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe	28
PID 1940 wrote to memory of 240	1940	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe	28
PID 1940 wrote to memory of 240	1940	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe	28
PID 1940 wrote to memory of 2036	1940	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe	29
PID 1940 wrote to memory of 2036	1940	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe	29
PID 1940 wrote to memory of 2036	1940	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe	29
PID 1940 wrote to memory of 2036	1940	1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe	29
PID 2036 wrote to memory of 1428	2036	smss.exe	31
PID 2036 wrote to memory of 1428	2036	smss.exe	31
PID 2036 wrote to memory of 1428	2036	smss.exe	31
PID 2036 wrote to memory of 1428	2036	smss.exe	31
PID 2036 wrote to memory of 1856	2036	smss.exe	32
PID 2036 wrote to memory of 1856	2036	smss.exe	32
PID 2036 wrote to memory of 1856	2036	smss.exe	32
PID 2036 wrote to memory of 1856	2036	smss.exe	32
PID 2036 wrote to memory of 688	2036	smss.exe	34
PID 2036 wrote to memory of 688	2036	smss.exe	34
PID 2036 wrote to memory of 688	2036	smss.exe	34
PID 2036 wrote to memory of 688	2036	smss.exe	34
PID 2036 wrote to memory of 1460	2036	smss.exe	36
PID 2036 wrote to memory of 1460	2036	smss.exe	36
PID 2036 wrote to memory of 1460	2036	smss.exe	36
PID 2036 wrote to memory of 1460	2036	smss.exe	36
PID 2036 wrote to memory of 868	2036	smss.exe	38
PID 2036 wrote to memory of 868	2036	smss.exe	38
PID 2036 wrote to memory of 868	2036	smss.exe	38
PID 2036 wrote to memory of 868	2036	smss.exe	38
PID 2036 wrote to memory of 1988	2036	smss.exe	39
PID 2036 wrote to memory of 1988	2036	smss.exe	39
PID 2036 wrote to memory of 1988	2036	smss.exe	39
PID 2036 wrote to memory of 1988	2036	smss.exe	39

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
  "C:\Users\Admin\AppData\Local\Temp\1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Users\Admin\AppData\Local\Temp\1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe
    "C:\Users\Admin\AppData\Local\Temp\1785a83cac260a165351dc1580cbb67a926411f0fe3688730350464cf04b73a4.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:240
  - - C:\Users\Admin\AppData\Local\smss.exe
      C:\Users\Admin\AppData\Local\smss.exe
      4⤵
      Modifies WinLogon for persistence
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      Disables RegEdit via registry modification
      Disables cmd.exe use via registry modification
      Executes dropped EXE
      Drops startup file
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2036
    - - C:\Users\Admin\AppData\Local\winlogon.exe
        
        C:\Users\Admin\AppData\Local\winlogon.exe
        5⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        Disables RegEdit via registry modification
        Disables cmd.exe use via registry modification
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1428
    - - C:\Windows\SysWOW64\at.exe
        
        at /delete /y
        5⤵
        
        PID:1856
    - - C:\Windows\SysWOW64\at.exe
        
        at 17:08 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\6084-NendangBro.com"
        5⤵
        
        PID:688
    - - C:\Windows\SysWOW64\at.exe
        
        at 11:03 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\6084-NendangBro.com"
        5⤵
        
        PID:1460
    - - C:\Users\Admin\AppData\Local\services.exe
        
        C:\Users\Admin\AppData\Local\services.exe
        5⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        Disables RegEdit via registry modification
        Disables cmd.exe use via registry modification
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:868
    - - C:\Users\Admin\AppData\Local\lsass.exe
        
        C:\Users\Admin\AppData\Local\lsass.exe
        5⤵
        Modifies WinLogon for persistence
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        Disables RegEdit via registry modification
        Disables cmd.exe use via registry modification
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry