1675a47031f9fb5e447ff15639c57bc6840377c1131d96ac36aaa93d75361e62

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	1675a47031f9fb5e447ff15639c57bc6840377c1131d96ac36aaa93d75361e62.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Session Manager = "C:\\ProgramData\\msconfig\\session.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Session Manager = "C:\\ProgramData\\msconfig\\session.exe"	smss.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	smss.exe
File opened for modification	C:\autorun.inf	smss.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{7FDC14FD-2D9B-4E9C-881F-A8E7418D5597}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{545D335E-6C0B-4500-81C7-925C493974E4}.catalogItem	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
428	reg.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 816	2876	1675a47031f9fb5e447ff15639c57bc6840377c1131d96ac36aaa93d75361e62.exe	77
PID 2876 wrote to memory of 816	2876	1675a47031f9fb5e447ff15639c57bc6840377c1131d96ac36aaa93d75361e62.exe	77
PID 2876 wrote to memory of 816	2876	1675a47031f9fb5e447ff15639c57bc6840377c1131d96ac36aaa93d75361e62.exe	77
PID 816 wrote to memory of 3568	816	smss.exe	93
PID 816 wrote to memory of 3568	816	smss.exe	93
PID 816 wrote to memory of 3568	816	smss.exe	93
PID 3568 wrote to memory of 428	3568	cmd.exe	95
PID 3568 wrote to memory of 428	3568	cmd.exe	95
PID 3568 wrote to memory of 428	3568	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\1675a47031f9fb5e447ff15639c57bc6840377c1131d96ac36aaa93d75361e62.exe
"C:\Users\Admin\AppData\Local\Temp\1675a47031f9fb5e447ff15639c57bc6840377c1131d96ac36aaa93d75361e62.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2876
- C:\ProgramData\msconfig\smss.exe
  "C:\ProgramData\msconfig\smss.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops autorun.inf file
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3568
  - - C:\Windows\SysWOW64\reg.exe
      C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f
      4⤵
      UAC bypass
      Modifies registry key
      PID:428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:2828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

3

System Information Discovery

4

Lateral Movement

Replication Through Removable Media