e5a02248c236c1eac1e2199280c2e34abbb31dcd329802dcef02eb7c69d549df

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe	1ccac71be2c3bfba57da85da3bb2556a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	1ccac71be2c3bfba57da85da3bb2556a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger = "iesafemode.exe -sb"	1ccac71be2c3bfba57da85da3bb2556a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exe	1ccac71be2c3bfba57da85da3bb2556a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exe\Debugger = "iesafemode.exe -sb"	1ccac71be2c3bfba57da85da3bb2556a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	1ccac71be2c3bfba57da85da3bb2556a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "iesafemode.exe -sb"	1ccac71be2c3bfba57da85da3bb2556a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger = "iesafemode.exe -sb"	1ccac71be2c3bfba57da85da3bb2556a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "iesafemode.exe -sb"	1ccac71be2c3bfba57da85da3bb2556a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe	1ccac71be2c3bfba57da85da3bb2556a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVG Antivirus 2011 = "C:\\Program Files (x86)\\AVG Antivirus 2011\\avg.exe"	1ccac71be2c3bfba57da85da3bb2556a.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	1ccac71be2c3bfba57da85da3bb2556a.exe
File opened (read-only)	\??\L:	1ccac71be2c3bfba57da85da3bb2556a.exe
File opened (read-only)	\??\O:	1ccac71be2c3bfba57da85da3bb2556a.exe
File opened (read-only)	\??\Q:	1ccac71be2c3bfba57da85da3bb2556a.exe
File opened (read-only)	\??\Z:	1ccac71be2c3bfba57da85da3bb2556a.exe
File opened (read-only)	\??\N:	1ccac71be2c3bfba57da85da3bb2556a.exe
File opened (read-only)	\??\S:	1ccac71be2c3bfba57da85da3bb2556a.exe
File opened (read-only)	\??\U:	1ccac71be2c3bfba57da85da3bb2556a.exe
File opened (read-only)	\??\X:	1ccac71be2c3bfba57da85da3bb2556a.exe
File opened (read-only)	\??\Y:	1ccac71be2c3bfba57da85da3bb2556a.exe
File opened (read-only)	\??\E:	1ccac71be2c3bfba57da85da3bb2556a.exe
File opened (read-only)	\??\T:	1ccac71be2c3bfba57da85da3bb2556a.exe
File opened (read-only)	\??\P:	1ccac71be2c3bfba57da85da3bb2556a.exe
File opened (read-only)	\??\R:	1ccac71be2c3bfba57da85da3bb2556a.exe
File opened (read-only)	\??\V:	1ccac71be2c3bfba57da85da3bb2556a.exe
File opened (read-only)	\??\H:	1ccac71be2c3bfba57da85da3bb2556a.exe
File opened (read-only)	\??\I:	1ccac71be2c3bfba57da85da3bb2556a.exe
File opened (read-only)	\??\J:	1ccac71be2c3bfba57da85da3bb2556a.exe
File opened (read-only)	\??\K:	1ccac71be2c3bfba57da85da3bb2556a.exe
File opened (read-only)	\??\M:	1ccac71be2c3bfba57da85da3bb2556a.exe
File opened (read-only)	\??\W:	1ccac71be2c3bfba57da85da3bb2556a.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\iesafemode.exe	1ccac71be2c3bfba57da85da3bb2556a.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\AVG Antivirus 2011\avg.exe	1ccac71be2c3bfba57da85da3bb2556a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\Desktop\ForegroundLockTimeout = "0"	1ccac71be2c3bfba57da85da3bb2556a.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Compatibility Flags = "1024"	1ccac71be2c3bfba57da85da3bb2556a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}	1ccac71be2c3bfba57da85da3bb2556a.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4816	1ccac71be2c3bfba57da85da3bb2556a.exe
4816	1ccac71be2c3bfba57da85da3bb2556a.exe
4816	1ccac71be2c3bfba57da85da3bb2556a.exe
4816	1ccac71be2c3bfba57da85da3bb2556a.exe
4816	1ccac71be2c3bfba57da85da3bb2556a.exe
4816	1ccac71be2c3bfba57da85da3bb2556a.exe
4816	1ccac71be2c3bfba57da85da3bb2556a.exe
4816	1ccac71be2c3bfba57da85da3bb2556a.exe
4816	1ccac71be2c3bfba57da85da3bb2556a.exe
4816	1ccac71be2c3bfba57da85da3bb2556a.exe
4816	1ccac71be2c3bfba57da85da3bb2556a.exe
4816	1ccac71be2c3bfba57da85da3bb2556a.exe
4816	1ccac71be2c3bfba57da85da3bb2556a.exe
4816	1ccac71be2c3bfba57da85da3bb2556a.exe
4816	1ccac71be2c3bfba57da85da3bb2556a.exe
4816	1ccac71be2c3bfba57da85da3bb2556a.exe
4816	1ccac71be2c3bfba57da85da3bb2556a.exe
4816	1ccac71be2c3bfba57da85da3bb2556a.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4816	1ccac71be2c3bfba57da85da3bb2556a.exe
4816	1ccac71be2c3bfba57da85da3bb2556a.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4816	1ccac71be2c3bfba57da85da3bb2556a.exe
4816	1ccac71be2c3bfba57da85da3bb2556a.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4816	1ccac71be2c3bfba57da85da3bb2556a.exe

C:\Users\Admin\AppData\Local\Temp\1ccac71be2c3bfba57da85da3bb2556a.exe
"C:\Users\Admin\AppData\Local\Temp\1ccac71be2c3bfba57da85da3bb2556a.exe"
1⤵
- Sets file execution options in registry
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

3

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery