formbook | cd326a152143c9908589386888b653fdf0667b08ab9328eaeb95673c2dc93615

System Information Discovery

Processes:

Arrival Notice.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Arrival Notice.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Arrival Notice.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

Arrival Notice.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Arrival Notice.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

Arrival Notice.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Arrival Notice.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Arrival Notice.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Arrival Notice.exeArrival Notice.exehelp.exe

description	pid	process	target process
PID 4104 set thread context of 3712	4104	Arrival Notice.exe	Arrival Notice.exe
PID 3712 set thread context of 3048	3712	Arrival Notice.exe	Explorer.EXE
PID 4612 set thread context of 3048	4612	help.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

help.exe

description ioc process

File opened for modification C:\Program Files (x86)\Jz8ahft\regsvc4h-.exe help.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1068 schtasks.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Jz8ahft\regsvc4h-.exe	help.exe

pid	process
1068	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

help.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	help.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

Arrival Notice.exepowershell.exeArrival Notice.exehelp.exe

pid	process
4104	Arrival Notice.exe
4104	Arrival Notice.exe
4104	Arrival Notice.exe
4104	Arrival Notice.exe
4104	Arrival Notice.exe
4104	Arrival Notice.exe
392	powershell.exe
3712	Arrival Notice.exe
3712	Arrival Notice.exe
392	powershell.exe
3712	Arrival Notice.exe
3712	Arrival Notice.exe
4612	help.exe
4612	help.exe
4612	help.exe
4612	help.exe
4612	help.exe
4612	help.exe
4612	help.exe
4612	help.exe
4612	help.exe
4612	help.exe
4612	help.exe
4612	help.exe
4612	help.exe
4612	help.exe
4612	help.exe
4612	help.exe
4612	help.exe
4612	help.exe
4612	help.exe
4612	help.exe
4612	help.exe
4612	help.exe
4612	help.exe
4612	help.exe
4612	help.exe
4612	help.exe
4612	help.exe
4612	help.exe
4612	help.exe
4612	help.exe
4612	help.exe
4612	help.exe
4612	help.exe
4612	help.exe
4612	help.exe
4612	help.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3048 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

Arrival Notice.exehelp.exe

pid process

3712 Arrival Notice.exe
3712 Arrival Notice.exe
3712 Arrival Notice.exe
4612 help.exe
4612 help.exe
4612 help.exe
4612 help.exe

pid	process
3048	Explorer.EXE

pid	process
3712	Arrival Notice.exe
3712	Arrival Notice.exe
3712	Arrival Notice.exe
4612	help.exe
4612	help.exe
4612	help.exe
4612	help.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Arrival Notice.exepowershell.exeArrival Notice.exehelp.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4104	Arrival Notice.exe
Token: SeDebugPrivilege	392	powershell.exe
Token: SeDebugPrivilege	3712	Arrival Notice.exe
Token: SeDebugPrivilege	4612	help.exe
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

Arrival Notice.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 4104 wrote to memory of 392	4104	Arrival Notice.exe	powershell.exe
PID 4104 wrote to memory of 392	4104	Arrival Notice.exe	powershell.exe
PID 4104 wrote to memory of 392	4104	Arrival Notice.exe	powershell.exe
PID 4104 wrote to memory of 1068	4104	Arrival Notice.exe	schtasks.exe
PID 4104 wrote to memory of 1068	4104	Arrival Notice.exe	schtasks.exe
PID 4104 wrote to memory of 1068	4104	Arrival Notice.exe	schtasks.exe
PID 4104 wrote to memory of 3680	4104	Arrival Notice.exe	Arrival Notice.exe
PID 4104 wrote to memory of 3680	4104	Arrival Notice.exe	Arrival Notice.exe
PID 4104 wrote to memory of 3680	4104	Arrival Notice.exe	Arrival Notice.exe
PID 4104 wrote to memory of 4512	4104	Arrival Notice.exe	Arrival Notice.exe
PID 4104 wrote to memory of 4512	4104	Arrival Notice.exe	Arrival Notice.exe
PID 4104 wrote to memory of 4512	4104	Arrival Notice.exe	Arrival Notice.exe
PID 4104 wrote to memory of 3712	4104	Arrival Notice.exe	Arrival Notice.exe
PID 4104 wrote to memory of 3712	4104	Arrival Notice.exe	Arrival Notice.exe
PID 4104 wrote to memory of 3712	4104	Arrival Notice.exe	Arrival Notice.exe
PID 4104 wrote to memory of 3712	4104	Arrival Notice.exe	Arrival Notice.exe
PID 4104 wrote to memory of 3712	4104	Arrival Notice.exe	Arrival Notice.exe
PID 4104 wrote to memory of 3712	4104	Arrival Notice.exe	Arrival Notice.exe
PID 3048 wrote to memory of 4612	3048	Explorer.EXE	help.exe
PID 3048 wrote to memory of 4612	3048	Explorer.EXE	help.exe
PID 3048 wrote to memory of 4612	3048	Explorer.EXE	help.exe
PID 4612 wrote to memory of 1360	4612	help.exe	cmd.exe
PID 4612 wrote to memory of 1360	4612	help.exe	cmd.exe
PID 4612 wrote to memory of 1360	4612	help.exe	cmd.exe
PID 4612 wrote to memory of 3024	4612	help.exe	cmd.exe
PID 4612 wrote to memory of 3024	4612	help.exe	cmd.exe
PID 4612 wrote to memory of 3024	4612	help.exe	cmd.exe
PID 4612 wrote to memory of 1176	4612	help.exe	cmd.exe
PID 4612 wrote to memory of 1176	4612	help.exe	cmd.exe
PID 4612 wrote to memory of 1176	4612	help.exe	cmd.exe
PID 4612 wrote to memory of 956	4612	help.exe	Firefox.exe
PID 4612 wrote to memory of 956	4612	help.exe	Firefox.exe
PID 4612 wrote to memory of 956	4612	help.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\Arrival Notice.exe
"C:\Users\Admin\AppData\Local\Temp\Arrival Notice.exe"
2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4104

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YyKWDHkSnIFE.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:392

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YyKWDHkSnIFE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp704E.tmp"
3⤵
- Creates scheduled task(s)
PID:1068

C:\Users\Admin\AppData\Local\Temp\Arrival Notice.exe
"C:\Users\Admin\AppData\Local\Temp\Arrival Notice.exe"
3⤵
PID:3680

C:\Users\Admin\AppData\Local\Temp\Arrival Notice.exe
"C:\Users\Admin\AppData\Local\Temp\Arrival Notice.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Users\Admin\AppData\Local\Temp\Arrival Notice.exe
"C:\Users\Admin\AppData\Local\Temp\Arrival Notice.exe"
3⤵
PID:4512

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4612

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Arrival Notice.exe"
3⤵
PID:1360

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:3024

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:1176

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Modify Registry

2

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

5

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

4

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System