dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1

System Information Discovery

Processes:

dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

3516 takeown.exe
748 icacls.exe
3056 takeown.exe
2912 icacls.exe

pid	process
3516	takeown.exe
748	icacls.exe
3056	takeown.exe
2912	icacls.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

e57bf29.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	e57bf29.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	e57bf29.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	e57bf29.exe

Maps connected drives based on registry 3 TTPs 3 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

e57bf29.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	e57bf29.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	e57bf29.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	e57bf29.exe

Drops file in System32 directory 4 IoCs

Processes:

e57bf29.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ws2tcpip.dll	e57bf29.exe
File opened for modification	C:\Windows\SysWOW64\ws2tcpip.dll	e57bf29.exe
File created	C:\Windows\SysWOW64\wshtcpip.dll	e57bf29.exe
File created	C:\Windows\SysWOW64\midimap.dll	e57bf29.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1136 schtasks.exe

pid	process
1136	schtasks.exe

Modifies registry class 4 IoCs

Processes:

e57bf29.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID	e57bf29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\HOOK_ID\name = "e57bf29.exe"	e57bf29.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL	e57bf29.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\SYS_DLL\name = "R2uH.dll"	e57bf29.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e57bf29.exe

pid	process
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe
3852	e57bf29.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

e57bf29.exe

pid process

644
3852 e57bf29.exe

pid	process
644
3852	e57bf29.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

e57bf29.exetakeown.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	3852	e57bf29.exe
Token: SeTakeOwnershipPrivilege	3516	takeown.exe
Token: SeTakeOwnershipPrivilege	3056	takeown.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe

pid	process
3756	dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe
3756	dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe
3756	dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exee57be10.tmpdc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exee57bf29.execmd.execmd.exe

description	pid	process	target process
PID 4068 wrote to memory of 3904	4068	dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe	e57be10.tmp
PID 4068 wrote to memory of 3904	4068	dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe	e57be10.tmp
PID 4068 wrote to memory of 3904	4068	dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe	e57be10.tmp
PID 3904 wrote to memory of 3756	3904	e57be10.tmp	dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe
PID 3904 wrote to memory of 3756	3904	e57be10.tmp	dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe
PID 3904 wrote to memory of 3756	3904	e57be10.tmp	dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe
PID 3904 wrote to memory of 3852	3904	e57be10.tmp	e57bf29.exe
PID 3904 wrote to memory of 3852	3904	e57be10.tmp	e57bf29.exe
PID 3904 wrote to memory of 3852	3904	e57be10.tmp	e57bf29.exe
PID 3756 wrote to memory of 1268	3756	dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe	schtasks.exe
PID 3756 wrote to memory of 1268	3756	dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe	schtasks.exe
PID 3756 wrote to memory of 1268	3756	dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe	schtasks.exe
PID 3756 wrote to memory of 1136	3756	dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe	schtasks.exe
PID 3756 wrote to memory of 1136	3756	dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe	schtasks.exe
PID 3756 wrote to memory of 1136	3756	dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe	schtasks.exe
PID 3852 wrote to memory of 2056	3852	e57bf29.exe	cmd.exe
PID 3852 wrote to memory of 2056	3852	e57bf29.exe	cmd.exe
PID 3852 wrote to memory of 2056	3852	e57bf29.exe	cmd.exe
PID 2056 wrote to memory of 3516	2056	cmd.exe	takeown.exe
PID 2056 wrote to memory of 3516	2056	cmd.exe	takeown.exe
PID 2056 wrote to memory of 3516	2056	cmd.exe	takeown.exe
PID 2056 wrote to memory of 748	2056	cmd.exe	icacls.exe
PID 2056 wrote to memory of 748	2056	cmd.exe	icacls.exe
PID 2056 wrote to memory of 748	2056	cmd.exe	icacls.exe
PID 3852 wrote to memory of 2236	3852	e57bf29.exe	cmd.exe
PID 3852 wrote to memory of 2236	3852	e57bf29.exe	cmd.exe
PID 3852 wrote to memory of 2236	3852	e57bf29.exe	cmd.exe
PID 2236 wrote to memory of 3056	2236	cmd.exe	takeown.exe
PID 2236 wrote to memory of 3056	2236	cmd.exe	takeown.exe
PID 2236 wrote to memory of 3056	2236	cmd.exe	takeown.exe
PID 2236 wrote to memory of 2912	2236	cmd.exe	icacls.exe
PID 2236 wrote to memory of 2912	2236	cmd.exe	icacls.exe
PID 2236 wrote to memory of 2912	2236	cmd.exe	icacls.exe
PID 3852 wrote to memory of 4972	3852	e57bf29.exe	cmd.exe
PID 3852 wrote to memory of 4972	3852	e57bf29.exe	cmd.exe
PID 3852 wrote to memory of 4972	3852	e57bf29.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe
"C:\Users\Admin\AppData\Local\Temp\dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4068

C:\Users\Admin\AppData\Local\Temp\e57be10.tmp
>C:\Users\Admin\AppData\Local\Temp\dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3904

C:\Users\Admin\AppData\Local\Temp\dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe
"C:\Users\Admin\AppData\Local\Temp\dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3756

C:\Windows\SysWOW64\schtasks.exe
schtasks /query /tn PCYac
4⤵
PID:1268

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn PCYac /tr "\"C:\Users\Admin\AppData\Local\Temp\dc322672a1f1879fee8bc8e67c8e3f2a02fe79f7c56eb24a05a6433dd2083cd1.exe"" /f /sc onlogon /rl highest
4⤵
- Creates scheduled task(s)
PID:1136

C:\Users\Admin\AppData\Local\Temp\e57bf29.exe
"C:\Users\Admin\AppData\Local\Temp\\e57bf29.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Sets service image path in registry
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3852

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\Windows\SysWOW64\wshtcpip.dll && icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
4⤵
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\wshtcpip.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\SysWOW64\wshtcpip.dll /grant administrators:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:748

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f C:\Windows\SysWOW64\midimap.dll && icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
4⤵
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\SysWOW64\midimap.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\SysWOW64\midimap.dll /grant administrators:F
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ahnmove.bat
4⤵
PID:4972

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

2

T1112

File Permissions Modification

T1222

Credential Access

Discovery

Query Registry

3

System Information Discovery

4

Peripheral Device Discovery