ammyyadmin | 691eaa4c48666b69ca180b9aae1a4035fefb29cef1f0a3cfbc91c020b0b09f40

System Information Discovery

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Control Panel\International\Geo\Nation	svchost.exe

Deletes itself 1 IoCs

Processes:

certreq.exe

pid process

2880 certreq.exe

pid	process
2880	certreq.exe

Drops startup file 3 IoCs

Processes:

1880.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	1880.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[EC892D17-3483].[[email protected]].8base	1880.exe
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\1880.exe	1880.exe

Executes dropped EXE 12 IoCs

Processes:

6oPX.exe6oPX.exe[email protected][email protected]396RUE.exe1880.exe1880.exe1880.exe1DED.exe1880.exesvchost.exe1DED.exe

pid	process
2856	6oPX.exe
2288	6oPX.exe
1872	[email protected]
1624	[email protected]
2828	396RUE.exe
2120	1880.exe
1360	1880.exe
2324	1880.exe
1560	1DED.exe
948	1880.exe
796	svchost.exe
1460	1DED.exe

Loads dropped DLL 10 IoCs

Processes:

1880.exe1880.exe1DED.exeexplorer.exerundll32.exe

pid process

2900
2120 1880.exe
2324 1880.exe
1560 1DED.exe
2556 explorer.exe
2556 explorer.exe
2976 rundll32.exe
2976 rundll32.exe
2976 rundll32.exe
2976 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2900
2120	1880.exe
2324	1880.exe
1560	1DED.exe
2556	explorer.exe
2556	explorer.exe
2976	rundll32.exe
2976	rundll32.exe
2976	rundll32.exe
2976	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

Processes:

certreq.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

1880.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1880 = "C:\\Users\\Admin\\AppData\\Local\\1880.exe"	1880.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\1880 = "C:\\Users\\Admin\\AppData\\Local\\1880.exe"	1880.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

1880.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	1880.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\YK5VI4QL\desktop.ini	1880.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	1880.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	1880.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	1880.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	1880.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	1880.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	1880.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	1880.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IDLDGKZQ\desktop.ini	1880.exe
File opened for modification	C:\Users\Public\desktop.ini	1880.exe
File opened for modification	C:\Program Files\desktop.ini	1880.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	1880.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	1880.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	1880.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	1880.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	1880.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	1880.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	1880.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	1880.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	1880.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	1880.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	1880.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	1880.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RIT0VQ4M\desktop.ini	1880.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	1880.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	1880.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	1880.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	1880.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	1880.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	1880.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	1880.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	1880.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	1880.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	1880.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	1880.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	1880.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	1880.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	1880.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3750544865-3773649541-1858556521-1000\desktop.ini	1880.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	1880.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WYZEMTEU\desktop.ini	1880.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z0TR3CUC\desktop.ini	1880.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	1880.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	1880.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	1880.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	1880.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	1880.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	1880.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	1880.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	1880.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	1880.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	1880.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\JQALZ7NY\desktop.ini	1880.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	1880.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3750544865-3773649541-1858556521-1000\desktop.ini	1880.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	1880.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	1880.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	1880.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	1880.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	1880.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	1880.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	1880.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	1880.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

svchost.exe

description ioc process

File opened for modification \??\PhysicalDrive0 svchost.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe6oPX.exe[email protected]1880.exe1880.exe1DED.exe

description	pid	process	target process
PID 1116 set thread context of 2360	1116	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe
PID 2856 set thread context of 2288	2856	6oPX.exe	6oPX.exe
PID 1872 set thread context of 1624	1872	[email protected]	[email protected]
PID 2120 set thread context of 1360	2120	1880.exe	1880.exe
PID 2324 set thread context of 948	2324	1880.exe	1880.exe
PID 1560 set thread context of 1460	1560	1DED.exe	1DED.exe

Drops file in Program Files directory 64 IoCs

Processes:

1880.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll	1880.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0214934.WMF.id[EC892D17-3483].[[email protected]].8base	1880.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\RPLBRF35.CHM.id[EC892D17-3483].[[email protected]].8base	1880.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\wmplayer.exe.mui	1880.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libvhs_plugin.dll	1880.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0217872.WMF	1880.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImagesMask.bmp	1880.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\IpsMigrationPlugin.dll.mui	1880.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_ja_4.4.0.v20140623020002.jar	1880.exe
File created	C:\Program Files\Java\jre7\lib\zi\Europe\Samara.id[EC892D17-3483].[[email protected]].8base	1880.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\msado28.tlb	1880.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSRuntimeUI.dll	1880.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\PhotoViewer.dll.mui	1880.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\STINTL.DLL.IDX_DLL	1880.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\gadget.xml	1880.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\settings.html	1880.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178639.JPG	1880.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_COL.HXT	1880.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\BREEZE.WAV.id[EC892D17-3483].[[email protected]].8base	1880.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double_orange.png	1880.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	1880.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe.id[EC892D17-3483].[[email protected]].8base	1880.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\drag.png	1880.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN03500_.WMF.id[EC892D17-3483].[[email protected]].8base	1880.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC_F_COL.HXK.id[EC892D17-3483].[[email protected]].8base	1880.exe
File opened for modification	C:\Program Files\DVD Maker\fieldswitch.ax	1880.exe
File opened for modification	C:\Program Files\Java\jre7\bin\instrument.dll	1880.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\custom.lua.id[EC892D17-3483].[[email protected]].8base	1880.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Portal\PortalConnectCore.dll	1880.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0285698.WMF.id[EC892D17-3483].[[email protected]].8base	1880.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Custom.propdesc	1880.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImagesMask.bmp	1880.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Azores	1880.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libflac_plugin.dll	1880.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\settings.html	1880.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\DEEPBLUE.INF	1880.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Msgbox.accdt	1880.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozwer.dll	1880.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\vlc.mo.id[EC892D17-3483].[[email protected]].8base	1880.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\vlc.mo	1880.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_plugin.dll.id[EC892D17-3483].[[email protected]].8base	1880.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\COMPASS.INF.id[EC892D17-3483].[[email protected]].8base	1880.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01368_.WMF	1880.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BIZFORM.XML.id[EC892D17-3483].[[email protected]].8base	1880.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSWDS_EN.LEX.id[EC892D17-3483].[[email protected]].8base	1880.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00578_.WMF.id[EC892D17-3483].[[email protected]].8base	1880.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZDAT12.ACCDU.id[EC892D17-3483].[[email protected]].8base	1880.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN107.XML.id[EC892D17-3483].[[email protected]].8base	1880.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\it-IT\WMPMediaSharing.dll.mui	1880.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\oledb32r.dll	1880.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-actions_zh_CN.jar	1880.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application.jar	1880.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\System.Data.Entity.Resources.dll	1880.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0314068.JPG.id[EC892D17-3483].[[email protected]].8base	1880.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\QP.XML.id[EC892D17-3483].[[email protected]].8base	1880.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_left.png	1880.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\LAYERS.INF	1880.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0233312.WMF	1880.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dt_shmem.dll	1880.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml.id[EC892D17-3483].[[email protected]].8base	1880.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf.id[EC892D17-3483].[[email protected]].8base	1880.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SPRNG_01.MID.id[EC892D17-3483].[[email protected]].8base	1880.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_basestyle.css.id[EC892D17-3483].[[email protected]].8base	1880.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-enumerations.xml	1880.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

[email protected]

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	[email protected]
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	[email protected]
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	[email protected]

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

certreq.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

2680 vssadmin.exe
1384 vssadmin.exe

pid	process
2680	vssadmin.exe
1384	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

Processes:

mshta.exemshta.exemshta.exemshta.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

Processes:

svchost.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.execertreq.exe[email protected]396RUE.exeExplorer.EXE

pid	process
2360	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe
2360	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe
2360	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe
2360	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe
2880	certreq.exe
2880	certreq.exe
2880	certreq.exe
2880	certreq.exe
1624	[email protected]
1624	[email protected]
2828	396RUE.exe
2828	396RUE.exe
2828	396RUE.exe
2828	396RUE.exe
2828	396RUE.exe
2828	396RUE.exe
2828	396RUE.exe
2828	396RUE.exe
2828	396RUE.exe
2828	396RUE.exe
2828	396RUE.exe
2828	396RUE.exe
2828	396RUE.exe
2828	396RUE.exe
2828	396RUE.exe
2828	396RUE.exe
2828	396RUE.exe
2828	396RUE.exe
2828	396RUE.exe
2828	396RUE.exe
2828	396RUE.exe
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE

Suspicious behavior: MapViewOfSection 33 IoCs

Processes:

[email protected]Explorer.EXEexplorer.exe

pid	process
1624	[email protected]
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
2556	explorer.exe
2556	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe6oPX.exe[email protected]396RUE.exe1880.exe1880.exeExplorer.EXE1DED.exe1880.exevssvc.exeWMIC.exewbengine.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1116	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe
Token: SeDebugPrivilege	2856	6oPX.exe
Token: SeDebugPrivilege	1872	[email protected]
Token: SeDebugPrivilege	2828	396RUE.exe
Token: SeDebugPrivilege	2120	1880.exe
Token: SeDebugPrivilege	2324	1880.exe
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeDebugPrivilege	1560	1DED.exe
Token: SeDebugPrivilege	1360	1880.exe
Token: SeBackupPrivilege	2820	vssvc.exe
Token: SeRestorePrivilege	2820	vssvc.exe
Token: SeAuditPrivilege	2820	vssvc.exe
Token: SeIncreaseQuotaPrivilege	788	WMIC.exe
Token: SeSecurityPrivilege	788	WMIC.exe
Token: SeTakeOwnershipPrivilege	788	WMIC.exe
Token: SeLoadDriverPrivilege	788	WMIC.exe
Token: SeSystemProfilePrivilege	788	WMIC.exe
Token: SeSystemtimePrivilege	788	WMIC.exe
Token: SeProfSingleProcessPrivilege	788	WMIC.exe
Token: SeIncBasePriorityPrivilege	788	WMIC.exe
Token: SeCreatePagefilePrivilege	788	WMIC.exe
Token: SeBackupPrivilege	788	WMIC.exe
Token: SeRestorePrivilege	788	WMIC.exe
Token: SeShutdownPrivilege	788	WMIC.exe
Token: SeDebugPrivilege	788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	788	WMIC.exe
Token: SeRemoteShutdownPrivilege	788	WMIC.exe
Token: SeUndockPrivilege	788	WMIC.exe
Token: SeManageVolumePrivilege	788	WMIC.exe
Token: 33	788	WMIC.exe
Token: 34	788	WMIC.exe
Token: 35	788	WMIC.exe
Token: SeIncreaseQuotaPrivilege	788	WMIC.exe
Token: SeSecurityPrivilege	788	WMIC.exe
Token: SeTakeOwnershipPrivilege	788	WMIC.exe
Token: SeLoadDriverPrivilege	788	WMIC.exe
Token: SeSystemProfilePrivilege	788	WMIC.exe
Token: SeSystemtimePrivilege	788	WMIC.exe
Token: SeProfSingleProcessPrivilege	788	WMIC.exe
Token: SeIncBasePriorityPrivilege	788	WMIC.exe
Token: SeCreatePagefilePrivilege	788	WMIC.exe
Token: SeBackupPrivilege	788	WMIC.exe
Token: SeRestorePrivilege	788	WMIC.exe
Token: SeShutdownPrivilege	788	WMIC.exe
Token: SeDebugPrivilege	788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	788	WMIC.exe
Token: SeRemoteShutdownPrivilege	788	WMIC.exe
Token: SeUndockPrivilege	788	WMIC.exe
Token: SeManageVolumePrivilege	788	WMIC.exe
Token: 33	788	WMIC.exe
Token: 34	788	WMIC.exe
Token: 35	788	WMIC.exe
Token: SeBackupPrivilege	980	wbengine.exe
Token: SeRestorePrivilege	980	wbengine.exe
Token: SeSecurityPrivilege	980	wbengine.exe
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	2388	WMIC.exe
Token: SeSecurityPrivilege	2388	WMIC.exe
Token: SeTakeOwnershipPrivilege	2388	WMIC.exe
Token: SeLoadDriverPrivilege	2388	WMIC.exe
Token: SeSystemProfilePrivilege	2388	WMIC.exe

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

svchost.exeExplorer.EXE

pid	process
796	svchost.exe
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious use of SendNotifyMessage 18 IoCs

Processes:

Explorer.EXE

pid	process
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe6oPX.exe[email protected]396RUE.exeExplorer.EXE

description	pid	process	target process
PID 1116 wrote to memory of 2360	1116	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe
PID 1116 wrote to memory of 2360	1116	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe
PID 1116 wrote to memory of 2360	1116	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe
PID 1116 wrote to memory of 2360	1116	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe
PID 1116 wrote to memory of 2360	1116	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe
PID 1116 wrote to memory of 2360	1116	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe
PID 1116 wrote to memory of 2360	1116	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe
PID 1116 wrote to memory of 2360	1116	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe
PID 1116 wrote to memory of 2360	1116	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe
PID 2360 wrote to memory of 2880	2360	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe	certreq.exe
PID 2360 wrote to memory of 2880	2360	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe	certreq.exe
PID 2360 wrote to memory of 2880	2360	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe	certreq.exe
PID 2360 wrote to memory of 2880	2360	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe	certreq.exe
PID 2360 wrote to memory of 2880	2360	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe	certreq.exe
PID 2360 wrote to memory of 2880	2360	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe	certreq.exe
PID 2856 wrote to memory of 2288	2856	6oPX.exe	6oPX.exe
PID 2856 wrote to memory of 2288	2856	6oPX.exe	6oPX.exe
PID 2856 wrote to memory of 2288	2856	6oPX.exe	6oPX.exe
PID 2856 wrote to memory of 2288	2856	6oPX.exe	6oPX.exe
PID 2856 wrote to memory of 2288	2856	6oPX.exe	6oPX.exe
PID 2856 wrote to memory of 2288	2856	6oPX.exe	6oPX.exe
PID 2856 wrote to memory of 2288	2856	6oPX.exe	6oPX.exe
PID 2856 wrote to memory of 2288	2856	6oPX.exe	6oPX.exe
PID 2856 wrote to memory of 2288	2856	6oPX.exe	6oPX.exe
PID 2856 wrote to memory of 2288	2856	6oPX.exe	6oPX.exe
PID 2856 wrote to memory of 2288	2856	6oPX.exe	6oPX.exe
PID 1872 wrote to memory of 1624	1872	[email protected]	[email protected]
PID 1872 wrote to memory of 1624	1872	[email protected]	[email protected]
PID 1872 wrote to memory of 1624	1872	[email protected]	[email protected]
PID 1872 wrote to memory of 1624	1872	[email protected]	[email protected]
PID 1872 wrote to memory of 1624	1872	[email protected]	[email protected]
PID 1872 wrote to memory of 1624	1872	[email protected]	[email protected]
PID 1872 wrote to memory of 1624	1872	[email protected]	[email protected]
PID 2828 wrote to memory of 1228	2828	396RUE.exe	aspnet_compiler.exe
PID 2828 wrote to memory of 1228	2828	396RUE.exe	aspnet_compiler.exe
PID 2828 wrote to memory of 1228	2828	396RUE.exe	aspnet_compiler.exe
PID 2828 wrote to memory of 1276	2828	396RUE.exe	aspnet_compiler.exe
PID 2828 wrote to memory of 1276	2828	396RUE.exe	aspnet_compiler.exe
PID 2828 wrote to memory of 1276	2828	396RUE.exe	aspnet_compiler.exe
PID 2828 wrote to memory of 1304	2828	396RUE.exe	aspnet_compiler.exe
PID 2828 wrote to memory of 1304	2828	396RUE.exe	aspnet_compiler.exe
PID 2828 wrote to memory of 1304	2828	396RUE.exe	aspnet_compiler.exe
PID 2828 wrote to memory of 1376	2828	396RUE.exe	aspnet_compiler.exe
PID 2828 wrote to memory of 1376	2828	396RUE.exe	aspnet_compiler.exe
PID 2828 wrote to memory of 1376	2828	396RUE.exe	aspnet_compiler.exe
PID 2828 wrote to memory of 1240	2828	396RUE.exe	aspnet_compiler.exe
PID 2828 wrote to memory of 1240	2828	396RUE.exe	aspnet_compiler.exe
PID 2828 wrote to memory of 1240	2828	396RUE.exe	aspnet_compiler.exe
PID 2828 wrote to memory of 1184	2828	396RUE.exe	aspnet_compiler.exe
PID 2828 wrote to memory of 1184	2828	396RUE.exe	aspnet_compiler.exe
PID 2828 wrote to memory of 1184	2828	396RUE.exe	aspnet_compiler.exe
PID 2828 wrote to memory of 1764	2828	396RUE.exe	aspnet_compiler.exe
PID 2828 wrote to memory of 1764	2828	396RUE.exe	aspnet_compiler.exe
PID 2828 wrote to memory of 1764	2828	396RUE.exe	aspnet_compiler.exe
PID 2828 wrote to memory of 2056	2828	396RUE.exe	aspnet_compiler.exe
PID 2828 wrote to memory of 2056	2828	396RUE.exe	aspnet_compiler.exe
PID 2828 wrote to memory of 2056	2828	396RUE.exe	aspnet_compiler.exe
PID 2828 wrote to memory of 2348	2828	396RUE.exe	aspnet_compiler.exe
PID 2828 wrote to memory of 2348	2828	396RUE.exe	aspnet_compiler.exe
PID 2828 wrote to memory of 2348	2828	396RUE.exe	aspnet_compiler.exe
PID 2828 wrote to memory of 108	2828	396RUE.exe	aspnet_compiler.exe
PID 2828 wrote to memory of 108	2828	396RUE.exe	aspnet_compiler.exe
PID 2828 wrote to memory of 108	2828	396RUE.exe	aspnet_compiler.exe
PID 1208 wrote to memory of 2120	1208	Explorer.EXE	1880.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe
"C:\Users\Admin\AppData\Local\Temp\8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1116

C:\Users\Admin\AppData\Local\Temp\8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe
C:\Users\Admin\AppData\Local\Temp\8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
2⤵
- Deletes itself
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2880

C:\Users\Admin\AppData\Local\Temp\1880.exe
C:\Users\Admin\AppData\Local\Temp\1880.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Users\Admin\AppData\Local\Temp\1880.exe
C:\Users\Admin\AppData\Local\Temp\1880.exe
3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Users\Admin\AppData\Local\Temp\1880.exe
"C:\Users\Admin\AppData\Local\Temp\1880.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Users\Admin\AppData\Local\Temp\1880.exe
C:\Users\Admin\AppData\Local\Temp\1880.exe
5⤵
- Executes dropped EXE
PID:948

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
4⤵
PID:3040

C:\Windows\system32\netsh.exe
netsh advfirewall set currentprofile state off
5⤵
- Modifies Windows Firewall
PID:2752

C:\Windows\system32\netsh.exe
netsh firewall set opmode mode=disable
5⤵
- Modifies Windows Firewall
PID:1368

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
4⤵
PID:1700

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:2680

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:788

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
5⤵
- Modifies boot configuration data using bcdedit
PID:1688

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
5⤵
- Deletes backup catalog
PID:1376

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
5⤵
- Modifies boot configuration data using bcdedit
PID:1564

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta"
4⤵
- Modifies Internet Explorer settings
PID:2296

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta"
4⤵
- Modifies Internet Explorer settings
PID:2176

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"
4⤵
- Modifies Internet Explorer settings
PID:1992

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta"
4⤵
- Modifies Internet Explorer settings
PID:1944

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
4⤵
PID:2288

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:1384

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
5⤵
- Modifies boot configuration data using bcdedit
PID:1528

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
5⤵
- Modifies boot configuration data using bcdedit
PID:2348

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
5⤵
- Deletes backup catalog
PID:1824

C:\Users\Admin\AppData\Local\Temp\1DED.exe
C:\Users\Admin\AppData\Local\Temp\1DED.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Users\Admin\AppData\Local\Temp\1DED.exe
"C:\Users\Admin\AppData\Local\Temp\1DED.exe"
3⤵
- Executes dropped EXE
PID:1460

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2492

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1716

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2312

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1508

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1268

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1228

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:928

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:2368

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:1296

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1864

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2904

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2592

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
PID:2916

C:\Windows\explorer.exe
C:\Windows\explorer.exe
2⤵
PID:1984

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
2⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:2556

C:\Users\Admin\AppData\Local\Temp\650A.tmp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\650A.tmp\svchost.exe -debug
3⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:796

C:\Windows\SysWOW64\ctfmon.exe
ctfmon.exe
4⤵
PID:3032

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\650A.tmp\aa_nts.dll",run
4⤵
- Loads dropped DLL
PID:2976

C:\Users\Admin\AppData\Local\Microsoft\6oPX.exe
"C:\Users\Admin\AppData\Local\Microsoft\6oPX.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856

C:\Users\Admin\AppData\Local\Microsoft\6oPX.exe
C:\Users\Admin\AppData\Local\Microsoft\6oPX.exe
2⤵
- Executes dropped EXE
PID:2288

C:\Users\Admin\AppData\Local\Microsoft\[email protected]
"C:\Users\Admin\AppData\Local\Microsoft\[email protected]"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872

C:\Users\Admin\AppData\Local\Microsoft\[email protected]
C:\Users\Admin\AppData\Local\Microsoft\[email protected]
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1624

C:\Users\Admin\AppData\Local\Microsoft\396RUE.exe
"C:\Users\Admin\AppData\Local\Microsoft\396RUE.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
2⤵
PID:1228

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
2⤵
PID:108

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
2⤵
PID:2348

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
2⤵
PID:2056

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
2⤵
PID:1764

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
2⤵
PID:1184

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
2⤵
PID:1240

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
2⤵
PID:1376

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
2⤵
PID:1304

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
2⤵
PID:1276

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1800

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery