9fb75c95723dd6c62194a06f9ca03d3f1682f7682dcd36a7701defd2e944c839

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	Install.exe

Executes dropped EXE 2 IoCs

pid	Process
2256	Install.exe
1388	Install.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
5044	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3724	powershell.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3724	powershell.EXE

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 2256	4560	9fb75c95723dd6c62194a06f9ca03d3f1682f7682dcd36a7701defd2e944c839.exe	86
PID 4560 wrote to memory of 2256	4560	9fb75c95723dd6c62194a06f9ca03d3f1682f7682dcd36a7701defd2e944c839.exe	86
PID 4560 wrote to memory of 2256	4560	9fb75c95723dd6c62194a06f9ca03d3f1682f7682dcd36a7701defd2e944c839.exe	86
PID 2256 wrote to memory of 1388	2256	Install.exe	88
PID 2256 wrote to memory of 1388	2256	Install.exe	88
PID 2256 wrote to memory of 1388	2256	Install.exe	88
PID 1388 wrote to memory of 4344	1388	Install.exe	90
PID 1388 wrote to memory of 4344	1388	Install.exe	90
PID 1388 wrote to memory of 4344	1388	Install.exe	90
PID 1388 wrote to memory of 4800	1388	Install.exe	92
PID 1388 wrote to memory of 4800	1388	Install.exe	92
PID 1388 wrote to memory of 4800	1388	Install.exe	92
PID 4800 wrote to memory of 5000	4800	forfiles.exe	94
PID 4800 wrote to memory of 5000	4800	forfiles.exe	94
PID 4800 wrote to memory of 5000	4800	forfiles.exe	94
PID 4344 wrote to memory of 4352	4344	forfiles.exe	95
PID 4344 wrote to memory of 4352	4344	forfiles.exe	95
PID 4344 wrote to memory of 4352	4344	forfiles.exe	95
PID 4352 wrote to memory of 4520	4352	cmd.exe	96
PID 4352 wrote to memory of 4520	4352	cmd.exe	96
PID 4352 wrote to memory of 4520	4352	cmd.exe	96
PID 5000 wrote to memory of 3896	5000	cmd.exe	97
PID 5000 wrote to memory of 3896	5000	cmd.exe	97
PID 5000 wrote to memory of 3896	5000	cmd.exe	97
PID 5000 wrote to memory of 3816	5000	cmd.exe	98
PID 5000 wrote to memory of 3816	5000	cmd.exe	98
PID 5000 wrote to memory of 3816	5000	cmd.exe	98
PID 4352 wrote to memory of 4724	4352	cmd.exe	99
PID 4352 wrote to memory of 4724	4352	cmd.exe	99
PID 4352 wrote to memory of 4724	4352	cmd.exe	99
PID 1388 wrote to memory of 5044	1388	Install.exe	103
PID 1388 wrote to memory of 5044	1388	Install.exe	103
PID 1388 wrote to memory of 5044	1388	Install.exe	103
PID 1388 wrote to memory of 2540	1388	Install.exe	106
PID 1388 wrote to memory of 2540	1388	Install.exe	106
PID 1388 wrote to memory of 2540	1388	Install.exe	106

C:\Users\Admin\AppData\Local\Temp\9fb75c95723dd6c62194a06f9ca03d3f1682f7682dcd36a7701defd2e944c839.exe
"C:\Users\Admin\AppData\Local\Temp\9fb75c95723dd6c62194a06f9ca03d3f1682f7682dcd36a7701defd2e944c839.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Users\Admin\AppData\Local\Temp\7zSCB10.tmp\Install.exe
  .\Install.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Users\Admin\AppData\Local\Temp\7zSCE5C.tmp\Install.exe
    .\Install.exe /QqGWdiddNtBW "385118" /S
    3⤵
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Enumerates system info in registry
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4344
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4352
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        6⤵
        
        PID:4520
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        6⤵
        
        PID:4724
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4800
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5000
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        6⤵
        
        PID:3896
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        6⤵
        
        PID:3816
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "gZsNDiSzx" /SC once /ST 09:37:32 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
      4⤵
      Creates scheduled task(s)
      PID:5044
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /run /I /tn "gZsNDiSzx"
      4⤵
      PID:2540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery