abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65

System Information Discovery

Processes:

abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Example = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Example.exe"	reg.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 bot.whatismyipaddress.com

flow	ioc
11	bot.whatismyipaddress.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe

description	pid	process	target process
PID 1724 set thread context of 3660	1724	abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe	vbc.exe

Drops file in Windows directory 1 IoCs

Processes:

dw20.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	dw20.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

dw20.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

dw20.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe

pid process

1724 abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exedw20.exe

description	pid	process
Token: SeDebugPrivilege	1724	abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe
Token: SeRestorePrivilege	4144	dw20.exe
Token: SeBackupPrivilege	4144	dw20.exe
Token: SeBackupPrivilege	4144	dw20.exe
Token: SeBackupPrivilege	4144	dw20.exe
Token: SeBackupPrivilege	4144	dw20.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe

pid	process
1724	abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe
1724	abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.execmd.exe

description	pid	process	target process
PID 1724 wrote to memory of 3508	1724	abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe	cmd.exe
PID 1724 wrote to memory of 3508	1724	abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe	cmd.exe
PID 1724 wrote to memory of 3508	1724	abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe	cmd.exe
PID 1724 wrote to memory of 4456	1724	abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe	cmd.exe
PID 1724 wrote to memory of 4456	1724	abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe	cmd.exe
PID 1724 wrote to memory of 4456	1724	abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe	cmd.exe
PID 4456 wrote to memory of 4052	4456	cmd.exe	reg.exe
PID 4456 wrote to memory of 4052	4456	cmd.exe	reg.exe
PID 4456 wrote to memory of 4052	4456	cmd.exe	reg.exe
PID 1724 wrote to memory of 4144	1724	abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe	dw20.exe
PID 1724 wrote to memory of 4144	1724	abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe	dw20.exe
PID 1724 wrote to memory of 4144	1724	abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe	dw20.exe
PID 1724 wrote to memory of 3660	1724	abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe	vbc.exe
PID 1724 wrote to memory of 3660	1724	abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe	vbc.exe
PID 1724 wrote to memory of 3660	1724	abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe	vbc.exe
PID 1724 wrote to memory of 3660	1724	abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe	vbc.exe
PID 1724 wrote to memory of 3660	1724	abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe	vbc.exe
PID 1724 wrote to memory of 3660	1724	abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe	vbc.exe
PID 1724 wrote to memory of 3660	1724	abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe	vbc.exe
PID 1724 wrote to memory of 3660	1724	abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe	vbc.exe
PID 1724 wrote to memory of 3660	1724	abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe
"C:\Users\Admin\AppData\Local\Temp\abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /z "C:\Users\Admin\AppData\Local\Temp\abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\abe8d333f59ea071a98d9c9a70005a746c472f9faf211d968e0143bd508efb65.exe"
2⤵
- Drops startup file
PID:3508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Example" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Example.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Example" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Example.exe
3⤵
- Adds Run key to start application
PID:4052

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 2552
2⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4144

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\logff.txt
2⤵
PID:3660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

3

System Information Discovery

4

Lateral Movement

Collection

Data from Local System