ammyyadmin | 691eaa4c48666b69ca180b9aae1a4035fefb29cef1f0a3cfbc91c020b0b09f40

pid	Process
892	bcdedit.exe
3584	bcdedit.exe

Renames multiple (91) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

pid	Process
4256	wbadmin.exe

Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Windows Service

T1543.003

pid	Process
2980	netsh.exe
3788	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	svchost.exe

Deletes itself 1 IoCs

pid	Process
4896	certreq.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\29E5.exe	29E5.exe

Executes dropped EXE 21 IoCs

pid	Process
3324	%S6t7.exe
4444	lPpDT.exe
2184	%S6t7.exe
2996	%S6t7.exe
3576	%S6t7.exe
1196	%S6t7.exe
5056	%S6t7.exe
3352	%S6t7.exe
2036	%S6t7.exe
3728	%S6t7.exe
3880	%S6t7.exe
4252	%S6t7.exe
3388	lPpDT.exe
3584	29E5.exe
4080	29E5.exe
3592	29E5.exe
2516	29E5.exe
3536	3010.exe
1312	29E5.exe
3252	29E5.exe
1844	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\29E5 = "C:\\Users\\Admin\\AppData\\Local\\29E5.exe"	29E5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\29E5 = "C:\\Users\\Admin\\AppData\\Local\\29E5.exe"	29E5.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2890696111-2332180956-3312704074-1000\desktop.ini	29E5.exe
File opened for modification	C:\Program Files\desktop.ini	29E5.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2890696111-2332180956-3312704074-1000\desktop.ini	29E5.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4668 set thread context of 1268	4668	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe	85
PID 4444 set thread context of 3388	4444	lPpDT.exe	108
PID 3584 set thread context of 2516	3584	29E5.exe	112
PID 1312 set thread context of 3252	1312	29E5.exe	116

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-nodes_ja.jar	29E5.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado25.tlb	29E5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt_1.1.1.v20140903-0821.jar	29E5.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.nl_zh_4.4.0.v20140623020002.jar.id[3B771C5F-3483].[[email protected]].8base	29E5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_zh_TW.jar	29E5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\org-openide-util.jar	29E5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\mshwLatin.dll.mui	29E5.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe.id[3B771C5F-3483].[[email protected]].8base	29E5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_pt_BR.jar	29E5.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-xstate-l2-1-0.dll.id[3B771C5F-3483].[[email protected]].8base	29E5.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msador15.dll	29E5.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_zh_CN.jar.id[3B771C5F-3483].[[email protected]].8base	29E5.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-applemenu.jar.id[3B771C5F-3483].[[email protected]].8base	29E5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html	29E5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\org.eclipse.rcp_root_4.4.0.v20141007-2301	29E5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.zh_CN_5.5.0.165303.jar	29E5.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar.id[3B771C5F-3483].[[email protected]].8base	29E5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler_ja.jar	29E5.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	29E5.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\de.pak	29E5.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\splashscreen.dll.id[3B771C5F-3483].[[email protected]].8base	29E5.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml	29E5.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml.id[3B771C5F-3483].[[email protected]].8base	29E5.exe
File created	C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-file-l2-1-0.dll.id[3B771C5F-3483].[[email protected]].8base	29E5.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jfxmedia.dll.id[3B771C5F-3483].[[email protected]].8base	29E5.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\eclipse_1655.dll.id[3B771C5F-3483].[[email protected]].8base	29E5.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png.id[3B771C5F-3483].[[email protected]].8base	29E5.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-cli.jar.id[3B771C5F-3483].[[email protected]].8base	29E5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml	29E5.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader_icd.json.id[3B771C5F-3483].[[email protected]].8base	29E5.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.properties.id[3B771C5F-3483].[[email protected]].8base	29E5.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-options_ja.jar.id[3B771C5F-3483].[[email protected]].8base	29E5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.properties	29E5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.http.registry_1.1.300.v20130402-1529.jar	29E5.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\glib-lite.dll.id[3B771C5F-3483].[[email protected]].8base	29E5.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\jp2native.dll.id[3B771C5F-3483].[[email protected]].8base	29E5.exe
File created	C:\Program Files\Java\jre1.8.0_66\LICENSE.id[3B771C5F-3483].[[email protected]].8base	29E5.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe.id[3B771C5F-3483].[[email protected]].8base	29E5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\README-JDK.html	29E5.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_es.properties.id[3B771C5F-3483].[[email protected]].8base	29E5.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_ja.jar.id[3B771C5F-3483].[[email protected]].8base	29E5.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\amd64\jvm.cfg.id[3B771C5F-3483].[[email protected]].8base	29E5.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msadcor.dll.mui	29E5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.attach_5.5.0.165303.jar	29E5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png	29E5.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\attach.dll.id[3B771C5F-3483].[[email protected]].8base	29E5.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_ja.jar.id[3B771C5F-3483].[[email protected]].8base	29E5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_zh_CN.jar	29E5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui	29E5.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe.id[3B771C5F-3483].[[email protected]].8base	29E5.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_cs.jar.id[3B771C5F-3483].[[email protected]].8base	29E5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg	29E5.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_zh_4.4.0.v20140623020002.jar.id[3B771C5F-3483].[[email protected]].8base	29E5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-swing-plaf.xml	29E5.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-utilities.jar.id[3B771C5F-3483].[[email protected]].8base	29E5.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial.xml	29E5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html	29E5.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif.id[3B771C5F-3483].[[email protected]].8base	29E5.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\boot_ja.jar.id[3B771C5F-3483].[[email protected]].8base	29E5.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_zh_4.4.0.v20140623020002.jar.id[3B771C5F-3483].[[email protected]].8base	29E5.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar.id[3B771C5F-3483].[[email protected]].8base	29E5.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_ja.jar	29E5.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml.id[3B771C5F-3483].[[email protected]].8base	29E5.exe
File created	C:\Program Files\7-Zip\Lang\ja.txt.id[3B771C5F-3483].[[email protected]].8base	29E5.exe

Checks SCSI registry key(s) 3 TTPs 7 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	lPpDT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	lPpDT.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	lPpDT.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

pid	Process
4476	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1268	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe
1268	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe
1268	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe
1268	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe
4896	certreq.exe
4896	certreq.exe
4896	certreq.exe
4896	certreq.exe
3324	%S6t7.exe
3324	%S6t7.exe
3324	%S6t7.exe
3324	%S6t7.exe
3324	%S6t7.exe
3324	%S6t7.exe
3324	%S6t7.exe
3324	%S6t7.exe
3324	%S6t7.exe
3324	%S6t7.exe
3324	%S6t7.exe
3324	%S6t7.exe
3324	%S6t7.exe
3324	%S6t7.exe
3324	%S6t7.exe
3324	%S6t7.exe
3324	%S6t7.exe
3324	%S6t7.exe
3324	%S6t7.exe
3324	%S6t7.exe
3388	lPpDT.exe
3388	lPpDT.exe
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3156	Explorer.EXE

Suspicious behavior: MapViewOfSection 33 IoCs

pid	Process
3388	lPpDT.exe
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
3156	Explorer.EXE
2808	explorer.exe
2808	explorer.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

description	pid	Process
Token: SeDebugPrivilege	4668	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe
Token: SeDebugPrivilege	3324	%S6t7.exe
Token: SeDebugPrivilege	4444	lPpDT.exe
Token: SeDebugPrivilege	3584	29E5.exe
Token: SeDebugPrivilege	1312	29E5.exe
Token: SeDebugPrivilege	3536	3010.exe
Token: SeDebugPrivilege	2516	29E5.exe
Token: SeBackupPrivilege	4724	vssvc.exe
Token: SeRestorePrivilege	4724	vssvc.exe
Token: SeAuditPrivilege	4724	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3424	WMIC.exe
Token: SeSecurityPrivilege	3424	WMIC.exe
Token: SeTakeOwnershipPrivilege	3424	WMIC.exe
Token: SeLoadDriverPrivilege	3424	WMIC.exe
Token: SeSystemProfilePrivilege	3424	WMIC.exe
Token: SeSystemtimePrivilege	3424	WMIC.exe
Token: SeProfSingleProcessPrivilege	3424	WMIC.exe
Token: SeIncBasePriorityPrivilege	3424	WMIC.exe
Token: SeCreatePagefilePrivilege	3424	WMIC.exe
Token: SeBackupPrivilege	3424	WMIC.exe
Token: SeRestorePrivilege	3424	WMIC.exe
Token: SeShutdownPrivilege	3424	WMIC.exe
Token: SeDebugPrivilege	3424	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3424	WMIC.exe
Token: SeRemoteShutdownPrivilege	3424	WMIC.exe
Token: SeUndockPrivilege	3424	WMIC.exe
Token: SeManageVolumePrivilege	3424	WMIC.exe
Token: 33	3424	WMIC.exe
Token: 34	3424	WMIC.exe
Token: 35	3424	WMIC.exe
Token: 36	3424	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3424	WMIC.exe
Token: SeSecurityPrivilege	3424	WMIC.exe
Token: SeTakeOwnershipPrivilege	3424	WMIC.exe
Token: SeLoadDriverPrivilege	3424	WMIC.exe
Token: SeSystemProfilePrivilege	3424	WMIC.exe
Token: SeSystemtimePrivilege	3424	WMIC.exe
Token: SeProfSingleProcessPrivilege	3424	WMIC.exe
Token: SeIncBasePriorityPrivilege	3424	WMIC.exe
Token: SeCreatePagefilePrivilege	3424	WMIC.exe
Token: SeBackupPrivilege	3424	WMIC.exe
Token: SeRestorePrivilege	3424	WMIC.exe
Token: SeShutdownPrivilege	3424	WMIC.exe
Token: SeDebugPrivilege	3424	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3424	WMIC.exe
Token: SeRemoteShutdownPrivilege	3424	WMIC.exe
Token: SeUndockPrivilege	3424	WMIC.exe
Token: SeManageVolumePrivilege	3424	WMIC.exe
Token: 33	3424	WMIC.exe
Token: 34	3424	WMIC.exe
Token: 35	3424	WMIC.exe
Token: 36	3424	WMIC.exe
Token: SeBackupPrivilege	4184	wbengine.exe
Token: SeRestorePrivilege	4184	wbengine.exe
Token: SeSecurityPrivilege	4184	wbengine.exe
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE
Token: SeShutdownPrivilege	3156	Explorer.EXE
Token: SeCreatePagefilePrivilege	3156	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1844	svchost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3156	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 1268	4668	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe	85
PID 4668 wrote to memory of 1268	4668	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe	85
PID 4668 wrote to memory of 1268	4668	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe	85
PID 4668 wrote to memory of 1268	4668	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe	85
PID 4668 wrote to memory of 1268	4668	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe	85
PID 4668 wrote to memory of 1268	4668	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe	85
PID 4668 wrote to memory of 1268	4668	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe	85
PID 4668 wrote to memory of 1268	4668	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe	85
PID 1268 wrote to memory of 4896	1268	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe	91
PID 1268 wrote to memory of 4896	1268	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe	91
PID 1268 wrote to memory of 4896	1268	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe	91
PID 1268 wrote to memory of 4896	1268	8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe	91
PID 3324 wrote to memory of 4252	3324	%S6t7.exe	98
PID 3324 wrote to memory of 4252	3324	%S6t7.exe	98
PID 3324 wrote to memory of 4252	3324	%S6t7.exe	98
PID 3324 wrote to memory of 2184	3324	%S6t7.exe	99
PID 3324 wrote to memory of 2184	3324	%S6t7.exe	99
PID 3324 wrote to memory of 2184	3324	%S6t7.exe	99
PID 3324 wrote to memory of 2996	3324	%S6t7.exe	107
PID 3324 wrote to memory of 2996	3324	%S6t7.exe	107
PID 3324 wrote to memory of 2996	3324	%S6t7.exe	107
PID 3324 wrote to memory of 3576	3324	%S6t7.exe	106
PID 3324 wrote to memory of 3576	3324	%S6t7.exe	106
PID 3324 wrote to memory of 3576	3324	%S6t7.exe	106
PID 3324 wrote to memory of 1196	3324	%S6t7.exe	105
PID 3324 wrote to memory of 1196	3324	%S6t7.exe	105
PID 3324 wrote to memory of 1196	3324	%S6t7.exe	105
PID 3324 wrote to memory of 5056	3324	%S6t7.exe	104
PID 3324 wrote to memory of 5056	3324	%S6t7.exe	104
PID 3324 wrote to memory of 5056	3324	%S6t7.exe	104
PID 3324 wrote to memory of 3352	3324	%S6t7.exe	103
PID 3324 wrote to memory of 3352	3324	%S6t7.exe	103
PID 3324 wrote to memory of 3352	3324	%S6t7.exe	103
PID 3324 wrote to memory of 2036	3324	%S6t7.exe	102
PID 3324 wrote to memory of 2036	3324	%S6t7.exe	102
PID 3324 wrote to memory of 2036	3324	%S6t7.exe	102
PID 3324 wrote to memory of 3728	3324	%S6t7.exe	101
PID 3324 wrote to memory of 3728	3324	%S6t7.exe	101
PID 3324 wrote to memory of 3728	3324	%S6t7.exe	101
PID 3324 wrote to memory of 3880	3324	%S6t7.exe	100
PID 3324 wrote to memory of 3880	3324	%S6t7.exe	100
PID 3324 wrote to memory of 3880	3324	%S6t7.exe	100
PID 4444 wrote to memory of 3388	4444	lPpDT.exe	108
PID 4444 wrote to memory of 3388	4444	lPpDT.exe	108
PID 4444 wrote to memory of 3388	4444	lPpDT.exe	108
PID 4444 wrote to memory of 3388	4444	lPpDT.exe	108
PID 4444 wrote to memory of 3388	4444	lPpDT.exe	108
PID 4444 wrote to memory of 3388	4444	lPpDT.exe	108
PID 3156 wrote to memory of 3584	3156	Explorer.EXE	109
PID 3156 wrote to memory of 3584	3156	Explorer.EXE	109
PID 3156 wrote to memory of 3584	3156	Explorer.EXE	109
PID 3584 wrote to memory of 3592	3584	29E5.exe	110
PID 3584 wrote to memory of 3592	3584	29E5.exe	110
PID 3584 wrote to memory of 3592	3584	29E5.exe	110
PID 3584 wrote to memory of 4080	3584	29E5.exe	111
PID 3584 wrote to memory of 4080	3584	29E5.exe	111
PID 3584 wrote to memory of 4080	3584	29E5.exe	111
PID 3584 wrote to memory of 2516	3584	29E5.exe	112
PID 3584 wrote to memory of 2516	3584	29E5.exe	112
PID 3584 wrote to memory of 2516	3584	29E5.exe	112
PID 3584 wrote to memory of 2516	3584	29E5.exe	112
PID 3584 wrote to memory of 2516	3584	29E5.exe	112
PID 3584 wrote to memory of 2516	3584	29E5.exe	112
PID 3584 wrote to memory of 2516	3584	29E5.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Users\Admin\AppData\Local\Temp\8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe
  "C:\Users\Admin\AppData\Local\Temp\8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Users\Admin\AppData\Local\Temp\8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe
    C:\Users\Admin\AppData\Local\Temp\8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1268
- C:\Windows\system32\certreq.exe
  "C:\Windows\system32\certreq.exe"
  2⤵
  - Deletes itself
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4896
- C:\Users\Admin\AppData\Local\Temp\29E5.exe
  C:\Users\Admin\AppData\Local\Temp\29E5.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Users\Admin\AppData\Local\Temp\29E5.exe
    C:\Users\Admin\AppData\Local\Temp\29E5.exe
    3⤵
    - Executes dropped EXE
    PID:3592
- - C:\Users\Admin\AppData\Local\Temp\29E5.exe
    C:\Users\Admin\AppData\Local\Temp\29E5.exe
    3⤵
    - Executes dropped EXE
    PID:4080
- - C:\Users\Admin\AppData\Local\Temp\29E5.exe
    C:\Users\Admin\AppData\Local\Temp\29E5.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops desktop.ini file(s)
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    PID:2516
  - - C:\Users\Admin\AppData\Local\Temp\29E5.exe
      "C:\Users\Admin\AppData\Local\Temp\29E5.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:1312
    - - C:\Users\Admin\AppData\Local\Temp\29E5.exe
        
        C:\Users\Admin\AppData\Local\Temp\29E5.exe
        5⤵
        Executes dropped EXE
        
        PID:3252
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:2668
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:4476
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3424
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:892
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled no
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:3584
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete catalog -quiet
        5⤵
        Deletes backup catalog
        
        PID:4256
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:2344
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set currentprofile state off
        5⤵
        Modifies Windows Firewall
        
        PID:2980
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode mode=disable
        5⤵
        Modifies Windows Firewall
        
        PID:3788
- C:\Users\Admin\AppData\Local\Temp\3010.exe
  C:\Users\Admin\AppData\Local\Temp\3010.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3536
- - C:\Users\Admin\AppData\Local\Temp\3010.exe
    "C:\Users\Admin\AppData\Local\Temp\3010.exe"
    3⤵
    PID:220
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  - Accesses Microsoft Outlook profiles
  - outlook_office_path
  - outlook_win_path
  PID:1036
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:4048
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:2840
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:3184
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:5100
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:2652
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:1516
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:1168
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:2540
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:4412
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:4080
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:2132
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:2268
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:1832
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  - Suspicious behavior: MapViewOfSection
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\8004.tmp\svchost.exe
    C:\Users\Admin\AppData\Local\Temp\8004.tmp\svchost.exe -debug
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of FindShellTrayWindow
    PID:1844

C:\Users\Admin\AppData\Local\Microsoft\%S6t7.exe
"C:\Users\Admin\AppData\Local\Microsoft\%S6t7.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3324
- C:\Users\Admin\AppData\Local\Microsoft\%S6t7.exe
  C:\Users\Admin\AppData\Local\Microsoft\%S6t7.exe
  2⤵
  - Executes dropped EXE
  PID:4252
- C:\Users\Admin\AppData\Local\Microsoft\%S6t7.exe
  C:\Users\Admin\AppData\Local\Microsoft\%S6t7.exe
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Users\Admin\AppData\Local\Microsoft\%S6t7.exe
  C:\Users\Admin\AppData\Local\Microsoft\%S6t7.exe
  2⤵
  - Executes dropped EXE
  PID:3880
- C:\Users\Admin\AppData\Local\Microsoft\%S6t7.exe
  C:\Users\Admin\AppData\Local\Microsoft\%S6t7.exe
  2⤵
  - Executes dropped EXE
  PID:3728
- C:\Users\Admin\AppData\Local\Microsoft\%S6t7.exe
  C:\Users\Admin\AppData\Local\Microsoft\%S6t7.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Users\Admin\AppData\Local\Microsoft\%S6t7.exe
  C:\Users\Admin\AppData\Local\Microsoft\%S6t7.exe
  2⤵
  - Executes dropped EXE
  PID:3352
- C:\Users\Admin\AppData\Local\Microsoft\%S6t7.exe
  C:\Users\Admin\AppData\Local\Microsoft\%S6t7.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Users\Admin\AppData\Local\Microsoft\%S6t7.exe
  C:\Users\Admin\AppData\Local\Microsoft\%S6t7.exe
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Users\Admin\AppData\Local\Microsoft\%S6t7.exe
  C:\Users\Admin\AppData\Local\Microsoft\%S6t7.exe
  2⤵
  - Executes dropped EXE
  PID:3576
- C:\Users\Admin\AppData\Local\Microsoft\%S6t7.exe
  C:\Users\Admin\AppData\Local\Microsoft\%S6t7.exe
  2⤵
  - Executes dropped EXE
  PID:2996

C:\Users\Admin\AppData\Local\Microsoft\lPpDT.exe
"C:\Users\Admin\AppData\Local\Microsoft\lPpDT.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Users\Admin\AppData\Local\Microsoft\lPpDT.exe
  C:\Users\Admin\AppData\Local\Microsoft\lPpDT.exe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3388

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k swprv
1⤵
PID:4048

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4952

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Inhibit System Recovery