a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22

Change Default File Association

T1042

Processes:

a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exenam.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	nam.exe

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

Modify Registry

Processes:

a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exenam.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	nam.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

Modify Registry

Processes:

a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exenam.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	nam.exe

Executes dropped EXE 1 IoCs

Processes:

nam.exe

pid process

896 nam.exe

pid	process
896	nam.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

nam.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	nam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	nam.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

nam.exe

description	ioc	process
File opened (read-only)	\??\V:	nam.exe
File opened (read-only)	\??\E:	nam.exe
File opened (read-only)	\??\J:	nam.exe
File opened (read-only)	\??\Q:	nam.exe
File opened (read-only)	\??\R:	nam.exe
File opened (read-only)	\??\F:	nam.exe
File opened (read-only)	\??\P:	nam.exe
File opened (read-only)	\??\U:	nam.exe
File opened (read-only)	\??\N:	nam.exe
File opened (read-only)	\??\S:	nam.exe
File opened (read-only)	\??\W:	nam.exe
File opened (read-only)	\??\H:	nam.exe
File opened (read-only)	\??\I:	nam.exe
File opened (read-only)	\??\K:	nam.exe
File opened (read-only)	\??\M:	nam.exe
File opened (read-only)	\??\T:	nam.exe
File opened (read-only)	\??\X:	nam.exe
File opened (read-only)	\??\Y:	nam.exe
File opened (read-only)	\??\Z:	nam.exe
File opened (read-only)	\??\B:	nam.exe
File opened (read-only)	\??\G:	nam.exe
File opened (read-only)	\??\L:	nam.exe
File opened (read-only)	\??\O:	nam.exe

Drops file in System32 directory 6 IoCs

Processes:

a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exenam.exe

description	ioc	process
File created	\??\c:\windows\SysWOW64\maxtrox.txt	a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe
File created	\??\c:\windows\SysWOW64\Windows 3D.scr	a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	nam.exe
File opened for modification	\??\c:\windows\SysWOW64\Windows 3D.scr	nam.exe
File created	\??\c:\windows\SysWOW64\Desktop.sysm	nam.exe
File created	\??\c:\windows\SysWOW64\CommandPrompt.Sysm	nam.exe

Drops file in Program Files directory 27 IoCs

Processes:

nam.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	nam.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	nam.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	nam.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	nam.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	nam.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	nam.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	nam.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	nam.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	nam.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	nam.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	nam.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	nam.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	nam.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	nam.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	nam.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\setup_wm.exe	nam.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	nam.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	nam.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	nam.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	nam.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	nam.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	nam.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	nam.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	nam.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	nam.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	nam.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	nam.exe

Modifies registry class 36 IoCs

Processes:

a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exenam.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open	a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	nam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	nam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	nam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	nam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell	a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	nam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	nam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	nam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open	a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	nam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	nam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	nam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	nam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell	a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	nam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	nam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	nam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	nam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	nam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exenam.exe

pid process

536 a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe
896 nam.exe

pid	process
536	a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe
896	nam.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe

description	pid	process	target process
PID 536 wrote to memory of 896	536	a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe	nam.exe
PID 536 wrote to memory of 896	536	a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe	nam.exe
PID 536 wrote to memory of 896	536	a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe	nam.exe

C:\Users\Admin\AppData\Local\Temp\a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe
"C:\Users\Admin\AppData\Local\Temp\a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22.exe"
1⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:536

\??\c:\Documents and Settings\Admin\Application Data\Microsoft\nam.exe
"c:\Documents and Settings\Admin\Application Data\Microsoft\nam.exe" a99e0e2de349279a4522a632cfcefe879c557bf0f439f97a6af91534f97ebf22
2⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:896

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

2

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

Hidden Files and Directories

2

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery