cybergate | a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\install\\server.exe"	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe

Executes dropped EXE 2 IoCs

pid	Process
3852	server.exe
2296	server.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\install\\server.exe Restart"	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\install\\server.exe"	explorer.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3860-132-0x0000000002620000-0x0000000002658000-memory.dmp	upx
behavioral2/memory/3860-134-0x0000000002620000-0x0000000002658000-memory.dmp	upx
behavioral2/memory/3860-136-0x0000000024010000-0x0000000024072000-memory.dmp	upx
behavioral2/memory/3860-141-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/1516-144-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/1516-147-0x0000000024080000-0x00000000240E2000-memory.dmp	upx
behavioral2/memory/3860-149-0x00000000240F0000-0x0000000024152000-memory.dmp	upx
behavioral2/memory/3860-155-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/1872-158-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/3860-160-0x0000000002620000-0x0000000002658000-memory.dmp	upx
behavioral2/memory/1872-161-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/1872-164-0x0000000024160000-0x00000000241C2000-memory.dmp	upx
behavioral2/memory/3852-167-0x0000000002460000-0x0000000002498000-memory.dmp	upx
behavioral2/memory/3852-169-0x0000000002460000-0x0000000002498000-memory.dmp	upx
behavioral2/memory/2296-173-0x00000000025F0000-0x0000000002628000-memory.dmp	upx
behavioral2/memory/2296-175-0x00000000025F0000-0x0000000002628000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	server.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win32 = "C:\\Windows\\system32\\install\\server.exe"	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Win32 = "C:\\Windows\\system32\\install\\server.exe"	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\install\server.exe	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe
File opened for modification	C:\Windows\SysWOW64\install\server.exe	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe
File opened for modification	C:\Windows\SysWOW64\install\	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe
File created	C:\Windows\SysWOW64\nua.jpg	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4588	3852	WerFault.exe	87
4964	2296	WerFault.exe	91

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	server.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	server.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	server.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	server.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	server.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	server.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	server.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	server.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1872	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe
Token: SeDebugPrivilege	1872	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74
PID 3860 wrote to memory of 2584	3860	a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe	74

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2584
- C:\Users\Admin\AppData\Local\Temp\a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe
  "C:\Users\Admin\AppData\Local\Temp\a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe"
  2⤵
  - Adds policy Run key to start application
  - Modifies Installed Components in the registry
  - Checks BIOS information in registry
  - Adds Run key to start application
  - Drops file in System32 directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3860
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Modifies Installed Components in the registry
    PID:1516
  - - C:\Windows\SysWOW64\install\server.exe
      "C:\Windows\system32\install\server.exe"
      4⤵
      Executes dropped EXE
      Checks BIOS information in registry
      Checks processor information in registry
      Enumerates system info in registry
      PID:3852
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 608
        5⤵
        Program crash
        
        PID:4588
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:4612
- - C:\Users\Admin\AppData\Local\Temp\a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe
    "C:\Users\Admin\AppData\Local\Temp\a10a98c2278206fa1f4f5bffb2a5a243779b2d9e71a0a7c8c4a124ef33322ca8.exe"
    3⤵
    - Checks computer location settings
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1872
  - - C:\Windows\SysWOW64\install\server.exe
      "C:\Windows\system32\install\server.exe"
      4⤵
      Executes dropped EXE
      Checks BIOS information in registry
      Checks processor information in registry
      Enumerates system info in registry
      PID:2296
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 524
        5⤵
        Program crash
        
        PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3852 -ip 3852
1⤵
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2296 -ip 2296
1⤵
PID:4868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery