glupteba | ea27b93898a1c89af5152d9ba100d72c32ef5aa1c8f229081f900b3fea970edc

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	6cG1Iw3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	6cG1Iw3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	6cG1Iw3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	6cG1Iw3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	6cG1Iw3.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 7 IoCs

resource	yara_rule
behavioral1/memory/5012-38-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/files/0x000800000001ac1d-580.dat	family_redline
behavioral1/files/0x000800000001ac1d-581.dat	family_redline
behavioral1/memory/4968-582-0x0000000000B70000-0x0000000000B8E000-memory.dmp	family_redline
behavioral1/files/0x000900000001ac29-1340.dat	family_redline
behavioral1/files/0x000900000001ac29-1339.dat	family_redline
behavioral1/memory/2336-1373-0x0000000000540000-0x000000000059A000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000800000001ac1d-580.dat	family_sectoprat
behavioral1/files/0x000800000001ac1d-581.dat	family_sectoprat
behavioral1/memory/4968-582-0x0000000000B70000-0x0000000000B8E000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

pid	Process
4336	netsh.exe

.NET Reactor proctector 19 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/3496-74-0x0000000002330000-0x0000000002350000-memory.dmp	net_reactor
behavioral1/memory/3496-76-0x00000000024D0000-0x00000000024EE000-memory.dmp	net_reactor
behavioral1/memory/3496-77-0x00000000024D0000-0x00000000024E9000-memory.dmp	net_reactor
behavioral1/memory/3496-78-0x00000000024D0000-0x00000000024E9000-memory.dmp	net_reactor
behavioral1/memory/3496-80-0x00000000024D0000-0x00000000024E9000-memory.dmp	net_reactor
behavioral1/memory/3496-82-0x00000000024D0000-0x00000000024E9000-memory.dmp	net_reactor
behavioral1/memory/3496-84-0x00000000024D0000-0x00000000024E9000-memory.dmp	net_reactor
behavioral1/memory/3496-86-0x00000000024D0000-0x00000000024E9000-memory.dmp	net_reactor
behavioral1/memory/3496-94-0x00000000024D0000-0x00000000024E9000-memory.dmp	net_reactor
behavioral1/memory/3496-92-0x00000000024D0000-0x00000000024E9000-memory.dmp	net_reactor
behavioral1/memory/3496-98-0x00000000024D0000-0x00000000024E9000-memory.dmp	net_reactor
behavioral1/memory/3496-100-0x00000000024D0000-0x00000000024E9000-memory.dmp	net_reactor
behavioral1/memory/3496-96-0x00000000024D0000-0x00000000024E9000-memory.dmp	net_reactor
behavioral1/memory/3496-90-0x00000000024D0000-0x00000000024E9000-memory.dmp	net_reactor
behavioral1/memory/3496-102-0x00000000024D0000-0x00000000024E9000-memory.dmp	net_reactor
behavioral1/memory/3496-106-0x00000000024D0000-0x00000000024E9000-memory.dmp	net_reactor
behavioral1/memory/3496-104-0x00000000024D0000-0x00000000024E9000-memory.dmp	net_reactor
behavioral1/memory/3496-88-0x00000000024D0000-0x00000000024E9000-memory.dmp	net_reactor
behavioral1/memory/3496-108-0x00000000024D0000-0x00000000024E9000-memory.dmp	net_reactor

Executes dropped EXE 17 IoCs

pid	Process
5084	xG6iH06.exe
488	YV4lg82.exe
1100	Qx8mY25.exe
2300	2si9994.exe
4744	3Gm70Ro.exe
992	4hA800iE.exe
656	5Ti4Af6.exe
3496	6cG1Iw3.exe
4360	5D1F.exe
2056	InstallSetup5.exe
752	toolspub2.exe
224	31839b57a4f11171d6abc8bbc4451ee4.exe
1644	Broom.exe
1364	toolspub2.exe
4440	31839b57a4f11171d6abc8bbc4451ee4.exe
5040	C679.exe
4968	C919.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001ac41-5108.dat	upx
behavioral1/files/0x000600000001ac41-5118.dat	upx

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	6cG1Iw3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	6cG1Iw3.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ea27b93898a1c89af5152d9ba100d72c32ef5aa1c8f229081f900b3fea970edc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	xG6iH06.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	YV4lg82.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Qx8mY25.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2300 set thread context of 684	2300	2si9994.exe	76
PID 4744 set thread context of 5012	4744	3Gm70Ro.exe	81
PID 992 set thread context of 3816	992	4hA800iE.exe	84
PID 752 set thread context of 1364	752	toolspub2.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4620	684	WerFault.exe	76
4000	2336	WerFault.exe	116

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5Ti4Af6.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5Ti4Af6.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	5Ti4Af6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
4380	schtasks.exe
4084	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
656	5Ti4Af6.exe
656	5Ti4Af6.exe
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3496	6cG1Iw3.exe
3496	6cG1Iw3.exe
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found
3116	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3116	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
656	5Ti4Af6.exe
1364	toolspub2.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	3496	6cG1Iw3.exe
Token: SeShutdownPrivilege	3116	Process not Found
Token: SeCreatePagefilePrivilege	3116	Process not Found
Token: SeShutdownPrivilege	3116	Process not Found
Token: SeCreatePagefilePrivilege	3116	Process not Found
Token: SeShutdownPrivilege	3116	Process not Found
Token: SeCreatePagefilePrivilege	3116	Process not Found
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeShutdownPrivilege	3116	Process not Found
Token: SeCreatePagefilePrivilege	3116	Process not Found
Token: SeDebugPrivilege	224	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeImpersonatePrivilege	224	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeShutdownPrivilege	3116	Process not Found
Token: SeCreatePagefilePrivilege	3116	Process not Found
Token: SeDebugPrivilege	4788	powershell.exe
Token: SeShutdownPrivilege	3116	Process not Found
Token: SeCreatePagefilePrivilege	3116	Process not Found
Token: SeShutdownPrivilege	3116	Process not Found
Token: SeCreatePagefilePrivilege	3116	Process not Found
Token: SeShutdownPrivilege	3116	Process not Found
Token: SeCreatePagefilePrivilege	3116	Process not Found
Token: SeDebugPrivilege	4968	C919.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1644	Broom.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 520 wrote to memory of 5084	520	ea27b93898a1c89af5152d9ba100d72c32ef5aa1c8f229081f900b3fea970edc.exe	71
PID 520 wrote to memory of 5084	520	ea27b93898a1c89af5152d9ba100d72c32ef5aa1c8f229081f900b3fea970edc.exe	71
PID 520 wrote to memory of 5084	520	ea27b93898a1c89af5152d9ba100d72c32ef5aa1c8f229081f900b3fea970edc.exe	71
PID 5084 wrote to memory of 488	5084	xG6iH06.exe	72
PID 5084 wrote to memory of 488	5084	xG6iH06.exe	72
PID 5084 wrote to memory of 488	5084	xG6iH06.exe	72
PID 488 wrote to memory of 1100	488	YV4lg82.exe	73
PID 488 wrote to memory of 1100	488	YV4lg82.exe	73
PID 488 wrote to memory of 1100	488	YV4lg82.exe	73
PID 1100 wrote to memory of 2300	1100	Qx8mY25.exe	74
PID 1100 wrote to memory of 2300	1100	Qx8mY25.exe	74
PID 1100 wrote to memory of 2300	1100	Qx8mY25.exe	74
PID 2300 wrote to memory of 684	2300	2si9994.exe	76
PID 2300 wrote to memory of 684	2300	2si9994.exe	76
PID 2300 wrote to memory of 684	2300	2si9994.exe	76
PID 2300 wrote to memory of 684	2300	2si9994.exe	76
PID 2300 wrote to memory of 684	2300	2si9994.exe	76
PID 2300 wrote to memory of 684	2300	2si9994.exe	76
PID 2300 wrote to memory of 684	2300	2si9994.exe	76
PID 2300 wrote to memory of 684	2300	2si9994.exe	76
PID 2300 wrote to memory of 684	2300	2si9994.exe	76
PID 2300 wrote to memory of 684	2300	2si9994.exe	76
PID 1100 wrote to memory of 4744	1100	Qx8mY25.exe	77
PID 1100 wrote to memory of 4744	1100	Qx8mY25.exe	77
PID 1100 wrote to memory of 4744	1100	Qx8mY25.exe	77
PID 4744 wrote to memory of 5012	4744	3Gm70Ro.exe	81
PID 4744 wrote to memory of 5012	4744	3Gm70Ro.exe	81
PID 4744 wrote to memory of 5012	4744	3Gm70Ro.exe	81
PID 4744 wrote to memory of 5012	4744	3Gm70Ro.exe	81
PID 4744 wrote to memory of 5012	4744	3Gm70Ro.exe	81
PID 4744 wrote to memory of 5012	4744	3Gm70Ro.exe	81
PID 4744 wrote to memory of 5012	4744	3Gm70Ro.exe	81
PID 4744 wrote to memory of 5012	4744	3Gm70Ro.exe	81
PID 488 wrote to memory of 992	488	YV4lg82.exe	82
PID 488 wrote to memory of 992	488	YV4lg82.exe	82
PID 488 wrote to memory of 992	488	YV4lg82.exe	82
PID 992 wrote to memory of 3816	992	4hA800iE.exe	84
PID 992 wrote to memory of 3816	992	4hA800iE.exe	84
PID 992 wrote to memory of 3816	992	4hA800iE.exe	84
PID 992 wrote to memory of 3816	992	4hA800iE.exe	84
PID 992 wrote to memory of 3816	992	4hA800iE.exe	84
PID 992 wrote to memory of 3816	992	4hA800iE.exe	84
PID 992 wrote to memory of 3816	992	4hA800iE.exe	84
PID 992 wrote to memory of 3816	992	4hA800iE.exe	84
PID 992 wrote to memory of 3816	992	4hA800iE.exe	84
PID 5084 wrote to memory of 656	5084	xG6iH06.exe	85
PID 5084 wrote to memory of 656	5084	xG6iH06.exe	85
PID 5084 wrote to memory of 656	5084	xG6iH06.exe	85
PID 520 wrote to memory of 3496	520	ea27b93898a1c89af5152d9ba100d72c32ef5aa1c8f229081f900b3fea970edc.exe	86
PID 520 wrote to memory of 3496	520	ea27b93898a1c89af5152d9ba100d72c32ef5aa1c8f229081f900b3fea970edc.exe	86
PID 520 wrote to memory of 3496	520	ea27b93898a1c89af5152d9ba100d72c32ef5aa1c8f229081f900b3fea970edc.exe	86
PID 3116 wrote to memory of 4360	3116	Process not Found	87
PID 3116 wrote to memory of 4360	3116	Process not Found	87
PID 3116 wrote to memory of 4360	3116	Process not Found	87
PID 4360 wrote to memory of 2056	4360	5D1F.exe	88
PID 4360 wrote to memory of 2056	4360	5D1F.exe	88
PID 4360 wrote to memory of 2056	4360	5D1F.exe	88
PID 4360 wrote to memory of 752	4360	5D1F.exe	89
PID 4360 wrote to memory of 752	4360	5D1F.exe	89
PID 4360 wrote to memory of 752	4360	5D1F.exe	89
PID 4360 wrote to memory of 224	4360	5D1F.exe	91
PID 4360 wrote to memory of 224	4360	5D1F.exe	91
PID 4360 wrote to memory of 224	4360	5D1F.exe	91
PID 2056 wrote to memory of 1644	2056	InstallSetup5.exe	90

C:\Users\Admin\AppData\Local\Temp\ea27b93898a1c89af5152d9ba100d72c32ef5aa1c8f229081f900b3fea970edc.exe
"C:\Users\Admin\AppData\Local\Temp\ea27b93898a1c89af5152d9ba100d72c32ef5aa1c8f229081f900b3fea970edc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:520
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xG6iH06.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xG6iH06.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YV4lg82.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\YV4lg82.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:488
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qx8mY25.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qx8mY25.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1100
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2si9994.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2si9994.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2300
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:684
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 684 -s 568
        7⤵
        Program crash
        
        PID:4620
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Gm70Ro.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Gm70Ro.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4744
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:5012
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4hA800iE.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4hA800iE.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:992
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:3816
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Ti4Af6.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Ti4Af6.exe
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:656
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6cG1Iw3.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6cG1Iw3.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3496

C:\Users\Admin\AppData\Local\Temp\5D1F.exe
C:\Users\Admin\AppData\Local\Temp\5D1F.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4360
- C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Users\Admin\AppData\Local\Temp\Broom.exe
    C:\Users\Admin\AppData\Local\Temp\Broom.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1644
- C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:752
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: MapViewOfSection
    PID:1364
- C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:224
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1992
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:4440
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:4788
  - - C:\Windows\System32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:2524
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:4336
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:5068
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:1956
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      PID:3476
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:912
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:4380
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:1924
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5068
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:2136
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        
        PID:352
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:4084
    - - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        5⤵
        
        PID:1020
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        5⤵
        
        PID:2676

C:\Users\Admin\AppData\Local\Temp\C679.exe
C:\Users\Admin\AppData\Local\Temp\C679.exe
1⤵
- Executes dropped EXE
PID:5040
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  2⤵
  PID:1920

C:\Users\Admin\AppData\Local\Temp\C919.exe
C:\Users\Admin\AppData\Local\Temp\C919.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Users\Admin\AppData\Local\Temp\B82.exe
C:\Users\Admin\AppData\Local\Temp\B82.exe
1⤵
PID:2968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  2⤵
  PID:4800

C:\Users\Admin\AppData\Local\Temp\E43.exe
C:\Users\Admin\AppData\Local\Temp\E43.exe
1⤵
PID:5044

C:\Users\Admin\AppData\Local\Temp\1577.exe
C:\Users\Admin\AppData\Local\Temp\1577.exe
1⤵
PID:796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  2⤵
  PID:4712

C:\Users\Admin\AppData\Local\Temp\18B4.exe
C:\Users\Admin\AppData\Local\Temp\18B4.exe
1⤵
PID:2336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 756
  2⤵
  - Program crash
  PID:4000

C:\Users\Admin\AppData\Local\Temp\1BB3.exe
C:\Users\Admin\AppData\Local\Temp\1BB3.exe
1⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\Admin\AppData\Local\Temp\csrss\tor\log.txt"
1⤵
PID:820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry