e45833cc1b31266b7b8772389417ef4bdfbc423242c713cb59185eb869e30947

System Information Discovery

Processes:

e45833cc1b31266b7b8772389417ef4bdfbc423242c713cb59185eb869e30947.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	e45833cc1b31266b7b8772389417ef4bdfbc423242c713cb59185eb869e30947.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1196 takeown.exe
1660 icacls.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
1196	takeown.exe
1660	icacls.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{93ABD653-67FA-4CB6-8CCC-C6B93485197E}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{74F89DD2-69F0-4338-B4F7-89259CBB91BF}.catalogItem	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Download via BitsAdmin 1 TTPs 1 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exe

pid process

4376 bitsadmin.exe

pid	process
4376	bitsadmin.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

e45833cc1b31266b7b8772389417ef4bdfbc423242c713cb59185eb869e30947.execmd.execmd.exe

description	pid	process	target process
PID 2228 wrote to memory of 2212	2228	e45833cc1b31266b7b8772389417ef4bdfbc423242c713cb59185eb869e30947.exe	cmd.exe
PID 2228 wrote to memory of 2212	2228	e45833cc1b31266b7b8772389417ef4bdfbc423242c713cb59185eb869e30947.exe	cmd.exe
PID 2212 wrote to memory of 1728	2212	cmd.exe	cmd.exe
PID 2212 wrote to memory of 1728	2212	cmd.exe	cmd.exe
PID 1728 wrote to memory of 1196	1728	cmd.exe	takeown.exe
PID 1728 wrote to memory of 1196	1728	cmd.exe	takeown.exe
PID 2212 wrote to memory of 1660	2212	cmd.exe	icacls.exe
PID 2212 wrote to memory of 1660	2212	cmd.exe	icacls.exe
PID 2212 wrote to memory of 4216	2212	cmd.exe	attrib.exe
PID 2212 wrote to memory of 4216	2212	cmd.exe	attrib.exe
PID 2212 wrote to memory of 4376	2212	cmd.exe	bitsadmin.exe
PID 2212 wrote to memory of 4376	2212	cmd.exe	bitsadmin.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

4216 attrib.exe

pid	process
4216	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e45833cc1b31266b7b8772389417ef4bdfbc423242c713cb59185eb869e30947.exe
"C:\Users\Admin\AppData\Local\Temp\e45833cc1b31266b7b8772389417ef4bdfbc423242c713cb59185eb869e30947.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5DC.tmp\5DD.tmp\5ED.bat C:\Users\Admin\AppData\Local\Temp\e45833cc1b31266b7b8772389417ef4bdfbc423242c713cb59185eb869e30947.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\system32\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32\drivers\etc\hosts"
3⤵
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\drivers\etc\hosts"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1196

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\drivers\etc\hosts" /grant ?░?????????????é???░?é?????ï:F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1660

C:\Windows\system32\attrib.exe
attrib -R -S -H "C:\Windows\System32\drivers\etc\hosts"
3⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:4216

C:\Windows\system32\bitsadmin.exe
bitsadmin /transfer /download https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/extra.txt C:\Users\Admin\AppData\Local\Temp\hosts
3⤵
- Download via BitsAdmin
PID:4376

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:4920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

BITS Jobs

T1197

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

BITS Jobs

T1197

File and Directory Permissions Modification

T1222

Hidden Files and Directories

Web Service

Credential Access

Discovery

Query Registry

3

System Information Discovery

4

Lateral Movement

Collection

Command and Control

Web Service