cybergate | d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb

Modify Registry

Processes:

d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\win32\\Frost.exe"	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\win32\\Frost.exe"	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe

Executes dropped EXE 4 IoCs

Processes:

SpyNet.exeSpyNet.exeFrost.exeFrost.exe

pid process

6348 SpyNet.exe
6380 SpyNet.exe
6432 Frost.exe
6524 Frost.exe

pid	process
6348	SpyNet.exe
6380	SpyNet.exe
6432	Frost.exe
6524	Frost.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{XTHJF30T-T8PL-4E4D-7VGC-4L6R7PF63C1O}\StubPath = "C:\\Windows\\system32\\win32\\Frost.exe Restart"	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{XTHJF30T-T8PL-4E4D-7VGC-4L6R7PF63C1O}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{XTHJF30T-T8PL-4E4D-7VGC-4L6R7PF63C1O}\StubPath = "C:\\Windows\\system32\\win32\\Frost.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{XTHJF30T-T8PL-4E4D-7VGC-4L6R7PF63C1O}	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2072-135-0x0000000000400000-0x000000000071F000-memory.dmp	upx
behavioral2/memory/2072-137-0x0000000000400000-0x000000000071F000-memory.dmp	upx
behavioral2/memory/2072-138-0x0000000000400000-0x000000000071F000-memory.dmp	upx
behavioral2/memory/2072-139-0x0000000000400000-0x000000000071F000-memory.dmp	upx
behavioral2/memory/2072-140-0x0000000000400000-0x000000000071F000-memory.dmp	upx
behavioral2/memory/2072-173-0x0000000000400000-0x000000000071F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SpyNet.exe	upx
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SpyNet.exe	upx
behavioral2/memory/6380-186-0x0000000000400000-0x0000000000957000-memory.dmp	upx
behavioral2/memory/6524-191-0x0000000000400000-0x000000000071F000-memory.dmp	upx
behavioral2/memory/6524-192-0x0000000000400000-0x000000000071F000-memory.dmp	upx
behavioral2/memory/6524-193-0x0000000000400000-0x000000000071F000-memory.dmp	upx
behavioral2/memory/6524-195-0x0000000000400000-0x000000000071F000-memory.dmp	upx
behavioral2/memory/6380-197-0x0000000000400000-0x0000000000957000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exeSpyNet.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	SpyNet.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exeSpyNet.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\win32\\Frost.exe"	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	SpyNet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	SpyNet.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\win32\\Frost.exe"	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe

Drops file in System32 directory 5 IoCs

Processes:

d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exeFrost.exed0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\win32\Frost.exe	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe
File opened for modification	C:\Windows\SysWOW64\win32\	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe
File opened for modification	C:\Windows\SysWOW64\win32\Frost.exe	Frost.exe
File created	C:\Windows\SysWOW64\win32\Frost.exe	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe
File opened for modification	C:\Windows\SysWOW64\win32\Frost.exe	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exeFrost.exe

description	pid	process	target process
PID 372 set thread context of 2072	372	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe
PID 6432 set thread context of 6524	6432	Frost.exe	Frost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

SpyNet.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	SpyNet.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	SpyNet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	SpyNet.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	SpyNet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	SpyNet.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	SpyNet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	SpyNet.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	SpyNet.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

SpyNet.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SpyNet.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SpyNet.exe

Modifies registry class 1 IoCs

Processes:

d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe

pid process

4936 d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe

pid	process
4936	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe

description	pid	process
Token: SeDebugPrivilege	4936	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe
Token: SeDebugPrivilege	4936	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exeSpyNet.exe

pid	process
2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe
6380	SpyNet.exe
6380	SpyNet.exe
6380	SpyNet.exe
6380	SpyNet.exe
6380	SpyNet.exe
6380	SpyNet.exe

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

SpyNet.exe

pid process

6380 SpyNet.exe
6380 SpyNet.exe
6380 SpyNet.exe
6380 SpyNet.exe
6380 SpyNet.exe
6380 SpyNet.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exeFrost.exe

pid process

372 d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe
6432 Frost.exe

pid	process
6380	SpyNet.exe
6380	SpyNet.exe
6380	SpyNet.exe
6380	SpyNet.exe
6380	SpyNet.exe
6380	SpyNet.exe

pid	process
372	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe
6432	Frost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exed0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe

description	pid	process	target process
PID 372 wrote to memory of 2072	372	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe
PID 372 wrote to memory of 2072	372	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe
PID 372 wrote to memory of 2072	372	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe
PID 372 wrote to memory of 2072	372	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe
PID 372 wrote to memory of 2072	372	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe
PID 372 wrote to memory of 2072	372	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe
PID 372 wrote to memory of 2072	372	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe
PID 372 wrote to memory of 2072	372	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE
PID 2072 wrote to memory of 1192	2072	d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe
"C:\Users\Admin\AppData\Local\Temp\d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:372

C:\Users\Admin\AppData\Local\Temp\d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe
"C:\Users\Admin\AppData\Local\Temp\d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe"
3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\SysWOW64\explorer.exe
explorer.exe
4⤵
- Modifies Installed Components in the registry
PID:1572

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:5016

C:\Users\Admin\AppData\Local\Temp\d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe
"C:\Users\Admin\AppData\Local\Temp\d0e8055eccfb8680a76de4564e74632f87bb4a2e237140884693c26d550e84cb.exe"
4⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4936

C:\Users\Admin\AppData\Local\Temp\SpyNet.exe
"C:\Users\Admin\AppData\Local\Temp\SpyNet.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:6348

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SpyNet.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SpyNet.exe
6⤵
- Executes dropped EXE
- Checks computer location settings
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6380

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\system32\cscript.exe" "C:\Users\Admin\AppData\Local\Temp\teste.vbs"
7⤵
PID:7060

C:\Windows\SysWOW64\win32\Frost.exe
"C:\Windows\system32\win32\Frost.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6432

C:\Windows\SysWOW64\win32\Frost.exe
"C:\Windows\SysWOW64\win32\Frost.exe"
6⤵
- Executes dropped EXE
PID:6524

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery