342d6c8cf7169e937dc7328b750c39528740e649a58fecad34d63fa51a37b6d0

Processes:

Winlogon.exeWinlogon.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell\Iceberg = "\"C:\\Users\\Admin\\AppData\\Roaming\\Iceberg.exe\""	Winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\Iceberg = "\"C:\\Users\\Admin\\AppData\\Roaming\\Iceberg.exe\""	Winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell\Iceberg = "\"C:\\Users\\Admin\\AppData\\Roaming\\Iceberg.exe\""	Winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\Iceberg = "\"C:\\Users\\Admin\\AppData\\Roaming\\Iceberg.exe\""	Winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell	Winlogon.exe

Modifies security service 2 TTPs 2 IoCs

Modify Registry

Modify Existing Service

T1031

Processes:

Winlogon.exeWinlogon.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	Winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	Winlogon.exe

UAC bypass 3 TTPs 4 IoCs

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

Processes:

342d6c8cf7169e937dc7328b750c39528740e649a58fecad34d63fa51a37b6d0.exeWinlogon.exe30261.exeWinlogon.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	342d6c8cf7169e937dc7328b750c39528740e649a58fecad34d63fa51a37b6d0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	30261.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Winlogon.exe

Windows security bypass 2 TTPs 4 IoCs

Disabling Security Tools

Modify Registry

Processes:

Winlogon.exe30261.exeWinlogon.exe342d6c8cf7169e937dc7328b750c39528740e649a58fecad34d63fa51a37b6d0.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	30261.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	342d6c8cf7169e937dc7328b750c39528740e649a58fecad34d63fa51a37b6d0.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

Winlogon.exeWinlogon.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Iceberg = "\"C:\\Users\\Admin\\AppData\\Roaming\\Iceberg.exe\""	Winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Iceberg = "\"C:\\Users\\Admin\\AppData\\Roaming\\Iceberg.exe\""	Winlogon.exe

Disables RegEdit via registry modification 1 IoCs

Processes:

reg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "1"	reg.exe

Disables Task Manager via registry modification
evasion
Executes dropped EXE 3 IoCs

Processes:

Winlogon.exe30261.exeWinlogon.exe

pid process

2800 Winlogon.exe
5024 30261.exe
5084 Winlogon.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
2800	Winlogon.exe
5024	30261.exe
5084	Winlogon.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4908-133-0x0000000000400000-0x0000000000451000-memory.dmp	upx
C:\Winlogon.exe	upx
\??\c:\Winlogon.exe	upx
behavioral2/memory/2800-140-0x0000000000400000-0x0000000000451000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\30261.exe	upx
C:\Users\Admin\AppData\Local\Temp\30261.exe	upx
C:\Winlogon.exe	upx
behavioral2/memory/5024-153-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral2/memory/4908-155-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral2/memory/2800-156-0x0000000000400000-0x0000000000451000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\Iceberg.exe	upx
behavioral2/memory/5084-162-0x0000000000400000-0x0000000000451000-memory.dmp	upx
behavioral2/memory/5024-163-0x0000000000400000-0x0000000000451000-memory.dmp	upx

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

342d6c8cf7169e937dc7328b750c39528740e649a58fecad34d63fa51a37b6d0.exeWinlogon.exe30261.exeWinlogon.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Wine	342d6c8cf7169e937dc7328b750c39528740e649a58fecad34d63fa51a37b6d0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Wine	Winlogon.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Wine	30261.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Wine	Winlogon.exe

Windows security modification 2 TTPs 4 IoCs

Disabling Security Tools

Modify Registry

Processes:

Winlogon.exe342d6c8cf7169e937dc7328b750c39528740e649a58fecad34d63fa51a37b6d0.exeWinlogon.exe30261.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	342d6c8cf7169e937dc7328b750c39528740e649a58fecad34d63fa51a37b6d0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0"	30261.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

Winlogon.exeWinlogon.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Iceberg = "\"C:\\Users\\Admin\\AppData\\Roaming\\Iceberg.exe\""	Winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Iceberg = "\"C:\\Users\\Admin\\AppData\\Roaming\\Iceberg.exe\""	Winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Iceberg = "\"C:\\Users\\Admin\\AppData\\Roaming\\Iceberg.exe\""	Winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Iceberg = "\"C:\\Users\\Admin\\AppData\\Roaming\\Iceberg.exe\""	Winlogon.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

System Information Discovery

T1082

Processes:

Winlogon.exe342d6c8cf7169e937dc7328b750c39528740e649a58fecad34d63fa51a37b6d0.exeWinlogon.exe30261.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	342d6c8cf7169e937dc7328b750c39528740e649a58fecad34d63fa51a37b6d0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	30261.exe

Drops file in Program Files directory 42 IoCs

Processes:

Winlogon.exeWinlogon.exe

description	ioc	process
File created	C:\Program Files\eMule\Incoming\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\Filetopia3\Files\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\XoloX\Downloads\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\Morpheus\My Shared Folder\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\LimeWire\Shared\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\Ares\My Shared Folder\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\EDONKEY2000\incoming\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\LimeWire\Shared\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\Grokster\My Grokster\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\BearShare\Shared\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\ICQ\shared files\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\appleJuice\incoming\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\Overnet\incoming\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\XoloX\Downloads\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\EDONKEY2000\incoming\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\WinMX\My Shared Folder\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\Tesla\Files\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\Grokster\My Grokster\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\Morpheus\My Shared Folder\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\ICQ\shared files\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\eMule\Incoming\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\KaZaA\My Shared Folder\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\BearShare\Shared\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\Ares\My Shared Folder\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\Swaptor\Download\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\Rapigator\Share\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\Swaptor\Download\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\KaZaA Lite\My Shared Folder\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\WinMX\My Shared Folder\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\Filetopia3\Files\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\Tesla\Files\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\Gnucleus\Downloads\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\Overnet\incoming\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\appleJuice\incoming\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\KaZaA\My Shared Folder\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\Direct Connect\Received Files\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\Gnucleus\Downloads\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\Rapigator\Share\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\KMD\My Shared Folder\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\KaZaA Lite\My Shared Folder\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\Direct Connect\Received Files\PhotoshopCS6.exe	Winlogon.exe
File created	C:\Program Files\KMD\My Shared Folder\PhotoshopCS6.exe	Winlogon.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

3656 sc.exe
4532 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

2432 reg.exe
3720 reg.exe
Runs net.exe

pid	process
3656	sc.exe
4532	sc.exe

pid	process
2432	reg.exe
3720	reg.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

342d6c8cf7169e937dc7328b750c39528740e649a58fecad34d63fa51a37b6d0.exeWinlogon.exe30261.exeWinlogon.exe

pid	process
4908	342d6c8cf7169e937dc7328b750c39528740e649a58fecad34d63fa51a37b6d0.exe
4908	342d6c8cf7169e937dc7328b750c39528740e649a58fecad34d63fa51a37b6d0.exe
4908	342d6c8cf7169e937dc7328b750c39528740e649a58fecad34d63fa51a37b6d0.exe
4908	342d6c8cf7169e937dc7328b750c39528740e649a58fecad34d63fa51a37b6d0.exe
2800	Winlogon.exe
2800	Winlogon.exe
2800	Winlogon.exe
2800	Winlogon.exe
5024	30261.exe
5024	30261.exe
5024	30261.exe
5024	30261.exe
5084	Winlogon.exe
5084	Winlogon.exe
5084	Winlogon.exe
5084	Winlogon.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

342d6c8cf7169e937dc7328b750c39528740e649a58fecad34d63fa51a37b6d0.exeWinlogon.exe30261.exeWinlogon.exe

description	pid	process
Token: SeBackupPrivilege	4908	342d6c8cf7169e937dc7328b750c39528740e649a58fecad34d63fa51a37b6d0.exe
Token: SeBackupPrivilege	2800	Winlogon.exe
Token: SeBackupPrivilege	5024	30261.exe
Token: SeBackupPrivilege	5084	Winlogon.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

342d6c8cf7169e937dc7328b750c39528740e649a58fecad34d63fa51a37b6d0.exeWinlogon.exe30261.exeWinlogon.exe

pid process

4908 342d6c8cf7169e937dc7328b750c39528740e649a58fecad34d63fa51a37b6d0.exe
2800 Winlogon.exe
5024 30261.exe
5084 Winlogon.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

342d6c8cf7169e937dc7328b750c39528740e649a58fecad34d63fa51a37b6d0.exeWinlogon.exenet.exe30261.exeWinlogon.exenet.exe

description	pid	process	target process
PID 4908 wrote to memory of 2800	4908	342d6c8cf7169e937dc7328b750c39528740e649a58fecad34d63fa51a37b6d0.exe	Winlogon.exe
PID 4908 wrote to memory of 2800	4908	342d6c8cf7169e937dc7328b750c39528740e649a58fecad34d63fa51a37b6d0.exe	Winlogon.exe
PID 4908 wrote to memory of 2800	4908	342d6c8cf7169e937dc7328b750c39528740e649a58fecad34d63fa51a37b6d0.exe	Winlogon.exe
PID 2800 wrote to memory of 2432	2800	Winlogon.exe	reg.exe
PID 2800 wrote to memory of 2432	2800	Winlogon.exe	reg.exe
PID 2800 wrote to memory of 2432	2800	Winlogon.exe	reg.exe
PID 2800 wrote to memory of 3656	2800	Winlogon.exe	sc.exe
PID 2800 wrote to memory of 3656	2800	Winlogon.exe	sc.exe
PID 2800 wrote to memory of 3656	2800	Winlogon.exe	sc.exe
PID 2800 wrote to memory of 3212	2800	Winlogon.exe	net.exe
PID 2800 wrote to memory of 3212	2800	Winlogon.exe	net.exe
PID 2800 wrote to memory of 3212	2800	Winlogon.exe	net.exe
PID 4908 wrote to memory of 5024	4908	342d6c8cf7169e937dc7328b750c39528740e649a58fecad34d63fa51a37b6d0.exe	30261.exe
PID 4908 wrote to memory of 5024	4908	342d6c8cf7169e937dc7328b750c39528740e649a58fecad34d63fa51a37b6d0.exe	30261.exe
PID 4908 wrote to memory of 5024	4908	342d6c8cf7169e937dc7328b750c39528740e649a58fecad34d63fa51a37b6d0.exe	30261.exe
PID 3212 wrote to memory of 1356	3212	net.exe	net1.exe
PID 3212 wrote to memory of 1356	3212	net.exe	net1.exe
PID 3212 wrote to memory of 1356	3212	net.exe	net1.exe
PID 5024 wrote to memory of 5084	5024	30261.exe	Winlogon.exe
PID 5024 wrote to memory of 5084	5024	30261.exe	Winlogon.exe
PID 5024 wrote to memory of 5084	5024	30261.exe	Winlogon.exe
PID 5084 wrote to memory of 3720	5084	Winlogon.exe	reg.exe
PID 5084 wrote to memory of 3720	5084	Winlogon.exe	reg.exe
PID 5084 wrote to memory of 3720	5084	Winlogon.exe	reg.exe
PID 5084 wrote to memory of 4532	5084	Winlogon.exe	sc.exe
PID 5084 wrote to memory of 4532	5084	Winlogon.exe	sc.exe
PID 5084 wrote to memory of 4532	5084	Winlogon.exe	sc.exe
PID 5084 wrote to memory of 2256	5084	Winlogon.exe	net.exe
PID 5084 wrote to memory of 2256	5084	Winlogon.exe	net.exe
PID 5084 wrote to memory of 2256	5084	Winlogon.exe	net.exe
PID 2256 wrote to memory of 2616	2256	net.exe	net1.exe
PID 2256 wrote to memory of 2616	2256	net.exe	net1.exe
PID 2256 wrote to memory of 2616	2256	net.exe	net1.exe

System policy modification 1 TTPs 4 IoCs

Modify Registry

Processes:

342d6c8cf7169e937dc7328b750c39528740e649a58fecad34d63fa51a37b6d0.exeWinlogon.exe30261.exeWinlogon.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	342d6c8cf7169e937dc7328b750c39528740e649a58fecad34d63fa51a37b6d0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	30261.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Winlogon.exe

C:\Users\Admin\AppData\Local\Temp\342d6c8cf7169e937dc7328b750c39528740e649a58fecad34d63fa51a37b6d0.exe
"C:\Users\Admin\AppData\Local\Temp\342d6c8cf7169e937dc7328b750c39528740e649a58fecad34d63fa51a37b6d0.exe"
1⤵
- UAC bypass
- Windows security bypass
- Identifies Wine through registry keys
- Windows security modification
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4908

\??\c:\Winlogon.exe
c:\Winlogon.exe
2⤵
- Modifies WinLogon for persistence
- Modifies security service
- UAC bypass
- Windows security bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2800

C:\Windows\SysWOW64\reg.exe
reg add hkcu\software\microsoft\windows\currentversion\policies\system /v disableregistrytools /t reg_dword /d "1" /f
3⤵
- Disables RegEdit via registry modification
- Modifies registry key
PID:2432

C:\Windows\SysWOW64\sc.exe
sc stop SharedAccess
3⤵
- Launches sc.exe
PID:3656

C:\Windows\SysWOW64\net.exe
net stop wscsvc
3⤵
- Suspicious use of WriteProcessMemory
PID:3212

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wscsvc
4⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\30261.exe
C:\Users\Admin\AppData\Local\Temp\30261.exe
2⤵
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5024

\??\c:\Winlogon.exe
c:\Winlogon.exe
3⤵
- Modifies WinLogon for persistence
- Modifies security service
- UAC bypass
- Windows security bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Identifies Wine through registry keys
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5084

C:\Windows\SysWOW64\reg.exe
reg add hkcu\software\microsoft\windows\currentversion\policies\system /v disableregistrytools /t reg_dword /d "1" /f
4⤵
- Modifies registry key
PID:3720

C:\Windows\SysWOW64\sc.exe
sc stop SharedAccess
4⤵
- Launches sc.exe
PID:4532

C:\Windows\SysWOW64\net.exe
net stop wscsvc
4⤵
- Suspicious use of WriteProcessMemory
PID:2256

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop wscsvc
5⤵
PID:2616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

Impair Defenses

T1562

Modify Registry