84687c1731cad90d812aba959aaff093d528df05b10f7836e867425d3457bc5c

Windows Service

T1543.003

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\1e2f264dcb18c99efde72203397b4bb1.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1e2f264dcb18c99efde72203397b4bb1.exe:*:Enabled:Windows Messanger"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\local.exe = "C:\\Users\\Admin\\AppData\\Roaming\\local.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

1e2f264dcb18c99efde72203397b4bb1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	1e2f264dcb18c99efde72203397b4bb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows.exe = "C:\\Users\\Admin\\AppData\\Roaming\\local.exe"	1e2f264dcb18c99efde72203397b4bb1.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

1e2f264dcb18c99efde72203397b4bb1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CE9E7B3-E0EF-E37D-DDBC-CBFBFCBDA4BA}	1e2f264dcb18c99efde72203397b4bb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CE9E7B3-E0EF-E37D-DDBC-CBFBFCBDA4BA}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\local.exe"	1e2f264dcb18c99efde72203397b4bb1.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{6CE9E7B3-E0EF-E37D-DDBC-CBFBFCBDA4BA}	1e2f264dcb18c99efde72203397b4bb1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{6CE9E7B3-E0EF-E37D-DDBC-CBFBFCBDA4BA}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\local.exe"	1e2f264dcb18c99efde72203397b4bb1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

1e2f264dcb18c99efde72203397b4bb1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows.exe = "C:\\Users\\Admin\\AppData\\Roaming\\local.exe"	1e2f264dcb18c99efde72203397b4bb1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows.exe = "C:\\Users\\Admin\\AppData\\Roaming\\local.exe"	1e2f264dcb18c99efde72203397b4bb1.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

1e2f264dcb18c99efde72203397b4bb1.exe

description ioc process

File opened for modification \??\PhysicalDrive0 1e2f264dcb18c99efde72203397b4bb1.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	1e2f264dcb18c99efde72203397b4bb1.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

1e2f264dcb18c99efde72203397b4bb1.exe1e2f264dcb18c99efde72203397b4bb1.exe

description	pid	process	target process
PID 2624 set thread context of 1372	2624	1e2f264dcb18c99efde72203397b4bb1.exe	1e2f264dcb18c99efde72203397b4bb1.exe
PID 1372 set thread context of 4804	1372	1e2f264dcb18c99efde72203397b4bb1.exe	1e2f264dcb18c99efde72203397b4bb1.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

3896 reg.exe
1552 reg.exe
1780 reg.exe
4444 reg.exe

pid	process
3896	reg.exe
1552	reg.exe
1780	reg.exe
4444	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

1e2f264dcb18c99efde72203397b4bb1.exe

description	pid	process
Token: 1	4804	1e2f264dcb18c99efde72203397b4bb1.exe
Token: SeCreateTokenPrivilege	4804	1e2f264dcb18c99efde72203397b4bb1.exe
Token: SeAssignPrimaryTokenPrivilege	4804	1e2f264dcb18c99efde72203397b4bb1.exe
Token: SeLockMemoryPrivilege	4804	1e2f264dcb18c99efde72203397b4bb1.exe
Token: SeIncreaseQuotaPrivilege	4804	1e2f264dcb18c99efde72203397b4bb1.exe
Token: SeMachineAccountPrivilege	4804	1e2f264dcb18c99efde72203397b4bb1.exe
Token: SeTcbPrivilege	4804	1e2f264dcb18c99efde72203397b4bb1.exe
Token: SeSecurityPrivilege	4804	1e2f264dcb18c99efde72203397b4bb1.exe
Token: SeTakeOwnershipPrivilege	4804	1e2f264dcb18c99efde72203397b4bb1.exe
Token: SeLoadDriverPrivilege	4804	1e2f264dcb18c99efde72203397b4bb1.exe
Token: SeSystemProfilePrivilege	4804	1e2f264dcb18c99efde72203397b4bb1.exe
Token: SeSystemtimePrivilege	4804	1e2f264dcb18c99efde72203397b4bb1.exe
Token: SeProfSingleProcessPrivilege	4804	1e2f264dcb18c99efde72203397b4bb1.exe
Token: SeIncBasePriorityPrivilege	4804	1e2f264dcb18c99efde72203397b4bb1.exe
Token: SeCreatePagefilePrivilege	4804	1e2f264dcb18c99efde72203397b4bb1.exe
Token: SeCreatePermanentPrivilege	4804	1e2f264dcb18c99efde72203397b4bb1.exe
Token: SeBackupPrivilege	4804	1e2f264dcb18c99efde72203397b4bb1.exe
Token: SeRestorePrivilege	4804	1e2f264dcb18c99efde72203397b4bb1.exe
Token: SeShutdownPrivilege	4804	1e2f264dcb18c99efde72203397b4bb1.exe
Token: SeDebugPrivilege	4804	1e2f264dcb18c99efde72203397b4bb1.exe
Token: SeAuditPrivilege	4804	1e2f264dcb18c99efde72203397b4bb1.exe
Token: SeSystemEnvironmentPrivilege	4804	1e2f264dcb18c99efde72203397b4bb1.exe
Token: SeChangeNotifyPrivilege	4804	1e2f264dcb18c99efde72203397b4bb1.exe
Token: SeRemoteShutdownPrivilege	4804	1e2f264dcb18c99efde72203397b4bb1.exe
Token: SeUndockPrivilege	4804	1e2f264dcb18c99efde72203397b4bb1.exe
Token: SeSyncAgentPrivilege	4804	1e2f264dcb18c99efde72203397b4bb1.exe
Token: SeEnableDelegationPrivilege	4804	1e2f264dcb18c99efde72203397b4bb1.exe
Token: SeManageVolumePrivilege	4804	1e2f264dcb18c99efde72203397b4bb1.exe
Token: SeImpersonatePrivilege	4804	1e2f264dcb18c99efde72203397b4bb1.exe
Token: SeCreateGlobalPrivilege	4804	1e2f264dcb18c99efde72203397b4bb1.exe
Token: 31	4804	1e2f264dcb18c99efde72203397b4bb1.exe
Token: 32	4804	1e2f264dcb18c99efde72203397b4bb1.exe
Token: 33	4804	1e2f264dcb18c99efde72203397b4bb1.exe
Token: 34	4804	1e2f264dcb18c99efde72203397b4bb1.exe
Token: 35	4804	1e2f264dcb18c99efde72203397b4bb1.exe
Token: SeDebugPrivilege	4804	1e2f264dcb18c99efde72203397b4bb1.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

1e2f264dcb18c99efde72203397b4bb1.exe1e2f264dcb18c99efde72203397b4bb1.exe1e2f264dcb18c99efde72203397b4bb1.exe

pid	process
2624	1e2f264dcb18c99efde72203397b4bb1.exe
1372	1e2f264dcb18c99efde72203397b4bb1.exe
4804	1e2f264dcb18c99efde72203397b4bb1.exe
4804	1e2f264dcb18c99efde72203397b4bb1.exe
4804	1e2f264dcb18c99efde72203397b4bb1.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

1e2f264dcb18c99efde72203397b4bb1.exe1e2f264dcb18c99efde72203397b4bb1.exe1e2f264dcb18c99efde72203397b4bb1.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2624 wrote to memory of 1372	2624	1e2f264dcb18c99efde72203397b4bb1.exe	1e2f264dcb18c99efde72203397b4bb1.exe
PID 2624 wrote to memory of 1372	2624	1e2f264dcb18c99efde72203397b4bb1.exe	1e2f264dcb18c99efde72203397b4bb1.exe
PID 2624 wrote to memory of 1372	2624	1e2f264dcb18c99efde72203397b4bb1.exe	1e2f264dcb18c99efde72203397b4bb1.exe
PID 2624 wrote to memory of 1372	2624	1e2f264dcb18c99efde72203397b4bb1.exe	1e2f264dcb18c99efde72203397b4bb1.exe
PID 2624 wrote to memory of 1372	2624	1e2f264dcb18c99efde72203397b4bb1.exe	1e2f264dcb18c99efde72203397b4bb1.exe
PID 2624 wrote to memory of 1372	2624	1e2f264dcb18c99efde72203397b4bb1.exe	1e2f264dcb18c99efde72203397b4bb1.exe
PID 2624 wrote to memory of 1372	2624	1e2f264dcb18c99efde72203397b4bb1.exe	1e2f264dcb18c99efde72203397b4bb1.exe
PID 2624 wrote to memory of 1372	2624	1e2f264dcb18c99efde72203397b4bb1.exe	1e2f264dcb18c99efde72203397b4bb1.exe
PID 1372 wrote to memory of 4804	1372	1e2f264dcb18c99efde72203397b4bb1.exe	1e2f264dcb18c99efde72203397b4bb1.exe
PID 1372 wrote to memory of 4804	1372	1e2f264dcb18c99efde72203397b4bb1.exe	1e2f264dcb18c99efde72203397b4bb1.exe
PID 1372 wrote to memory of 4804	1372	1e2f264dcb18c99efde72203397b4bb1.exe	1e2f264dcb18c99efde72203397b4bb1.exe
PID 1372 wrote to memory of 4804	1372	1e2f264dcb18c99efde72203397b4bb1.exe	1e2f264dcb18c99efde72203397b4bb1.exe
PID 1372 wrote to memory of 4804	1372	1e2f264dcb18c99efde72203397b4bb1.exe	1e2f264dcb18c99efde72203397b4bb1.exe
PID 1372 wrote to memory of 4804	1372	1e2f264dcb18c99efde72203397b4bb1.exe	1e2f264dcb18c99efde72203397b4bb1.exe
PID 1372 wrote to memory of 4804	1372	1e2f264dcb18c99efde72203397b4bb1.exe	1e2f264dcb18c99efde72203397b4bb1.exe
PID 1372 wrote to memory of 4804	1372	1e2f264dcb18c99efde72203397b4bb1.exe	1e2f264dcb18c99efde72203397b4bb1.exe
PID 4804 wrote to memory of 4764	4804	1e2f264dcb18c99efde72203397b4bb1.exe	cmd.exe
PID 4804 wrote to memory of 4764	4804	1e2f264dcb18c99efde72203397b4bb1.exe	cmd.exe
PID 4804 wrote to memory of 4764	4804	1e2f264dcb18c99efde72203397b4bb1.exe	cmd.exe
PID 4804 wrote to memory of 2996	4804	1e2f264dcb18c99efde72203397b4bb1.exe	cmd.exe
PID 4804 wrote to memory of 2996	4804	1e2f264dcb18c99efde72203397b4bb1.exe	cmd.exe
PID 4804 wrote to memory of 2996	4804	1e2f264dcb18c99efde72203397b4bb1.exe	cmd.exe
PID 4804 wrote to memory of 2360	4804	1e2f264dcb18c99efde72203397b4bb1.exe	cmd.exe
PID 4804 wrote to memory of 2360	4804	1e2f264dcb18c99efde72203397b4bb1.exe	cmd.exe
PID 4804 wrote to memory of 2360	4804	1e2f264dcb18c99efde72203397b4bb1.exe	cmd.exe
PID 4804 wrote to memory of 1632	4804	1e2f264dcb18c99efde72203397b4bb1.exe	cmd.exe
PID 4804 wrote to memory of 1632	4804	1e2f264dcb18c99efde72203397b4bb1.exe	cmd.exe
PID 4804 wrote to memory of 1632	4804	1e2f264dcb18c99efde72203397b4bb1.exe	cmd.exe
PID 4764 wrote to memory of 1552	4764	cmd.exe	reg.exe
PID 4764 wrote to memory of 1552	4764	cmd.exe	reg.exe
PID 4764 wrote to memory of 1552	4764	cmd.exe	reg.exe
PID 2996 wrote to memory of 1780	2996	cmd.exe	reg.exe
PID 2996 wrote to memory of 1780	2996	cmd.exe	reg.exe
PID 2996 wrote to memory of 1780	2996	cmd.exe	reg.exe
PID 1632 wrote to memory of 4444	1632	cmd.exe	reg.exe
PID 1632 wrote to memory of 4444	1632	cmd.exe	reg.exe
PID 1632 wrote to memory of 4444	1632	cmd.exe	reg.exe
PID 2360 wrote to memory of 3896	2360	cmd.exe	reg.exe
PID 2360 wrote to memory of 3896	2360	cmd.exe	reg.exe
PID 2360 wrote to memory of 3896	2360	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\1e2f264dcb18c99efde72203397b4bb1.exe
"C:\Users\Admin\AppData\Local\Temp\1e2f264dcb18c99efde72203397b4bb1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2624

C:\Users\Admin\AppData\Local\Temp\1e2f264dcb18c99efde72203397b4bb1.exe
"C:\Users\Admin\AppData\Local\Temp\1e2f264dcb18c99efde72203397b4bb1.exe"
2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1372

C:\Users\Admin\AppData\Local\Temp\1e2f264dcb18c99efde72203397b4bb1.exe
"C:\Users\Admin\AppData\Local\Temp\1e2f264dcb18c99efde72203397b4bb1.exe"
3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
5⤵
- Modifies firewall policy service
- Modifies registry key
PID:1552

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\local.exe:*:Enabled:Windows Messanger" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\1e2f264dcb18c99efde72203397b4bb1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1e2f264dcb18c99efde72203397b4bb1.exe:*:Enabled:Windows Messanger" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\local.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\local.exe:*:Enabled:Windows Messanger" /f
1⤵
- Modifies firewall policy service
- Modifies registry key
PID:4444

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
1⤵
- Modifies firewall policy service
- Modifies registry key
PID:3896

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\1e2f264dcb18c99efde72203397b4bb1.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1e2f264dcb18c99efde72203397b4bb1.exe:*:Enabled:Windows Messanger" /f
1⤵
- Modifies firewall policy service
- Modifies registry key
PID:1780

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

5

Pre-OS Boot

T1542

Bootkit