a8dbd40709be3a20905a59a3f989835e3bbf8cd6e85cdc0566d74a04df3d3f37

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\eksplorasi.exe\""	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\eksplorasi.exe\""	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\eksplorasi.exe\""	inetinfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\eksplorasi.exe\""	a8dbd40709be3a20905a59a3f989835e3bbf8cd6e85cdc0566d74a04df3d3f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\eksplorasi.exe\""	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\eksplorasi.exe\""	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

Hidden Files and Directories

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	inetinfo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	a8dbd40709be3a20905a59a3f989835e3bbf8cd6e85cdc0566d74a04df3d3f37.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

Hidden Files and Directories

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	a8dbd40709be3a20905a59a3f989835e3bbf8cd6e85cdc0566d74a04df3d3f37.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	inetinfo.exe

Disables RegEdit via registry modification 12 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	a8dbd40709be3a20905a59a3f989835e3bbf8cd6e85cdc0566d74a04df3d3f37.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	a8dbd40709be3a20905a59a3f989835e3bbf8cd6e85cdc0566d74a04df3d3f37.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	inetinfo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	inetinfo.exe

Disables cmd.exe use via registry modification 6 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	a8dbd40709be3a20905a59a3f989835e3bbf8cd6e85cdc0566d74a04df3d3f37.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	inetinfo.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts-Denied By-Admin.com	inetinfo.exe
File created	C:\Windows\System32\drivers\etc\hosts-Denied By-Admin.com	inetinfo.exe

Executes dropped EXE 5 IoCs

pid	Process
5044	smss.exe
5016	winlogon.exe
2128	services.exe
3904	lsass.exe
4276	inetinfo.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif	smss.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif	smss.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\ShellNew\\bronstab.exe\""	a8dbd40709be3a20905a59a3f989835e3bbf8cd6e85cdc0566d74a04df3d3f37.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	a8dbd40709be3a20905a59a3f989835e3bbf8cd6e85cdc0566d74a04df3d3f37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\ShellNew\\bronstab.exe\""	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\ShellNew\\bronstab.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\ShellNew\\bronstab.exe\""	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\ShellNew\\bronstab.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\ShellNew\\bronstab.exe\""	inetinfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	inetinfo.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Admin's Setting.scr	smss.exe
File opened for modification	C:\Windows\SysWOW64\Admin's Setting.scr	smss.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\eksplorasi.exe	inetinfo.exe
File opened for modification	C:\Windows\ShellNew\bronstab.exe	services.exe
File opened for modification	C:\Windows\eksplorasi.exe	services.exe
File opened for modification	C:\Windows\ShellNew\bronstab.exe	lsass.exe
File opened for modification	C:\Windows\eksplorasi.exe	lsass.exe
File opened for modification	C:\Windows\ShellNew\bronstab.exe	inetinfo.exe
File opened for modification	C:\Windows\ShellNew\bronstab.exe	a8dbd40709be3a20905a59a3f989835e3bbf8cd6e85cdc0566d74a04df3d3f37.exe
File opened for modification	C:\Windows\eksplorasi.exe	smss.exe
File opened for modification	C:\Windows\ShellNew\bronstab.exe	winlogon.exe
File created	C:\Windows\eksplorasi.exe	a8dbd40709be3a20905a59a3f989835e3bbf8cd6e85cdc0566d74a04df3d3f37.exe
File opened for modification	C:\Windows\ShellNew\bronstab.exe	smss.exe
File created	C:\Windows\ShellNew\bronstab.exe	a8dbd40709be3a20905a59a3f989835e3bbf8cd6e85cdc0566d74a04df3d3f37.exe
File opened for modification	C:\Windows\eksplorasi.exe	a8dbd40709be3a20905a59a3f989835e3bbf8cd6e85cdc0566d74a04df3d3f37.exe
File opened for modification	C:\Windows\eksplorasi.exe	winlogon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4772	a8dbd40709be3a20905a59a3f989835e3bbf8cd6e85cdc0566d74a04df3d3f37.exe
5044	smss.exe
5016	winlogon.exe
2128	services.exe
3904	lsass.exe
4276	inetinfo.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 2360	4772	a8dbd40709be3a20905a59a3f989835e3bbf8cd6e85cdc0566d74a04df3d3f37.exe	79
PID 4772 wrote to memory of 2360	4772	a8dbd40709be3a20905a59a3f989835e3bbf8cd6e85cdc0566d74a04df3d3f37.exe	79
PID 4772 wrote to memory of 2360	4772	a8dbd40709be3a20905a59a3f989835e3bbf8cd6e85cdc0566d74a04df3d3f37.exe	79
PID 4772 wrote to memory of 5044	4772	a8dbd40709be3a20905a59a3f989835e3bbf8cd6e85cdc0566d74a04df3d3f37.exe	80
PID 4772 wrote to memory of 5044	4772	a8dbd40709be3a20905a59a3f989835e3bbf8cd6e85cdc0566d74a04df3d3f37.exe	80
PID 4772 wrote to memory of 5044	4772	a8dbd40709be3a20905a59a3f989835e3bbf8cd6e85cdc0566d74a04df3d3f37.exe	80
PID 5044 wrote to memory of 5016	5044	smss.exe	81
PID 5044 wrote to memory of 5016	5044	smss.exe	81
PID 5044 wrote to memory of 5016	5044	smss.exe	81
PID 5044 wrote to memory of 4652	5044	smss.exe	82
PID 5044 wrote to memory of 4652	5044	smss.exe	82
PID 5044 wrote to memory of 4652	5044	smss.exe	82
PID 5044 wrote to memory of 2220	5044	smss.exe	85
PID 5044 wrote to memory of 2220	5044	smss.exe	85
PID 5044 wrote to memory of 2220	5044	smss.exe	85
PID 5044 wrote to memory of 2128	5044	smss.exe	86
PID 5044 wrote to memory of 2128	5044	smss.exe	86
PID 5044 wrote to memory of 2128	5044	smss.exe	86
PID 5044 wrote to memory of 3904	5044	smss.exe	88
PID 5044 wrote to memory of 3904	5044	smss.exe	88
PID 5044 wrote to memory of 3904	5044	smss.exe	88
PID 5044 wrote to memory of 4276	5044	smss.exe	89
PID 5044 wrote to memory of 4276	5044	smss.exe	89
PID 5044 wrote to memory of 4276	5044	smss.exe	89

C:\Users\Admin\AppData\Local\Temp\a8dbd40709be3a20905a59a3f989835e3bbf8cd6e85cdc0566d74a04df3d3f37.exe
"C:\Users\Admin\AppData\Local\Temp\a8dbd40709be3a20905a59a3f989835e3bbf8cd6e85cdc0566d74a04df3d3f37.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  - Modifies registry class
  PID:2360
- C:\Users\Admin\AppData\Local\smss.exe
  C:\Users\Admin\AppData\Local\smss.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Drops startup file
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Users\Admin\AppData\Local\winlogon.exe
    C:\Users\Admin\AppData\Local\winlogon.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:5016
- - C:\Windows\SysWOW64\at.exe
    at /delete /y
    3⤵
    PID:4652
- - C:\Windows\SysWOW64\at.exe
    at 17:08 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WowTumpeh.com"
    3⤵
    PID:2220
- - C:\Users\Admin\AppData\Local\services.exe
    C:\Users\Admin\AppData\Local\services.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2128
- - C:\Users\Admin\AppData\Local\lsass.exe
    C:\Users\Admin\AppData\Local\lsass.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:3904
- - C:\Users\Admin\AppData\Local\inetinfo.exe
    C:\Users\Admin\AppData\Local\inetinfo.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:4276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry