dacf062c795698d8ad961e3a26ce8774a395fa4c0fccc86971e330b7c50ebe0f

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	375eef7af2dc0120024cb76e3b8f37ac.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:\users\admin\appdata\local\temp\375eef7af2dc0120024cb76e3b8f37ac.exe = "c:\\users\\admin\\appdata\\local\\temp\\375eef7af2dc0120024cb76e3b8f37ac.exe:*:Enabled:System Update"	375eef7af2dc0120024cb76e3b8f37ac.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	375eef7af2dc0120024cb76e3b8f37ac.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	375eef7af2dc0120024cb76e3b8f37ac.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run	375eef7af2dc0120024cb76e3b8f37ac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winsys = "c:\\windows\\winsys.exe"	375eef7af2dc0120024cb76e3b8f37ac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	375eef7af2dc0120024cb76e3b8f37ac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msrpc = "c:\\windows\\msrpc.exe"	375eef7af2dc0120024cb76e3b8f37ac.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\winsys\ImagePath = "c:\\windows\\winsys.exe"	375eef7af2dc0120024cb76e3b8f37ac.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winsys = "c:\\windows\\winsys.exe"	375eef7af2dc0120024cb76e3b8f37ac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\winsys = "c:\\windows\\winsys.exe"	375eef7af2dc0120024cb76e3b8f37ac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsassv = "c:\\windows\\lsassv.exe"	375eef7af2dc0120024cb76e3b8f37ac.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\t:	375eef7af2dc0120024cb76e3b8f37ac.exe
File opened (read-only)	\??\m:	375eef7af2dc0120024cb76e3b8f37ac.exe
File opened (read-only)	\??\l:	375eef7af2dc0120024cb76e3b8f37ac.exe
File opened (read-only)	\??\j:	375eef7af2dc0120024cb76e3b8f37ac.exe
File opened (read-only)	\??\e:	375eef7af2dc0120024cb76e3b8f37ac.exe
File opened (read-only)	\??\y:	375eef7af2dc0120024cb76e3b8f37ac.exe
File opened (read-only)	\??\u:	375eef7af2dc0120024cb76e3b8f37ac.exe
File opened (read-only)	\??\r:	375eef7af2dc0120024cb76e3b8f37ac.exe
File opened (read-only)	\??\n:	375eef7af2dc0120024cb76e3b8f37ac.exe
File opened (read-only)	\??\x:	375eef7af2dc0120024cb76e3b8f37ac.exe
File opened (read-only)	\??\s:	375eef7af2dc0120024cb76e3b8f37ac.exe
File opened (read-only)	\??\q:	375eef7af2dc0120024cb76e3b8f37ac.exe
File opened (read-only)	\??\p:	375eef7af2dc0120024cb76e3b8f37ac.exe
File opened (read-only)	\??\o:	375eef7af2dc0120024cb76e3b8f37ac.exe
File opened (read-only)	\??\g:	375eef7af2dc0120024cb76e3b8f37ac.exe
File opened (read-only)	\??\z:	375eef7af2dc0120024cb76e3b8f37ac.exe
File opened (read-only)	\??\w:	375eef7af2dc0120024cb76e3b8f37ac.exe
File opened (read-only)	\??\v:	375eef7af2dc0120024cb76e3b8f37ac.exe
File opened (read-only)	\??\k:	375eef7af2dc0120024cb76e3b8f37ac.exe
File opened (read-only)	\??\i:	375eef7af2dc0120024cb76e3b8f37ac.exe
File opened (read-only)	\??\h:	375eef7af2dc0120024cb76e3b8f37ac.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\regedit.exe	375eef7af2dc0120024cb76e3b8f37ac.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\mui\rctfd.sys	375eef7af2dc0120024cb76e3b8f37ac.exe
File created	\??\c:\windows\Start Menu\Programs\Startup\AdobeGammaLoader.scr	375eef7af2dc0120024cb76e3b8f37ac.exe
File created	\??\c:\windows\msrpc.exe	375eef7af2dc0120024cb76e3b8f37ac.exe
File created	\??\c:\windows\calc.exe	375eef7af2dc0120024cb76e3b8f37ac.exe
File created	\??\c:\windows\regedit2.exe	375eef7af2dc0120024cb76e3b8f37ac.exe
File opened for modification	\??\c:\windows\regedit2.exe	375eef7af2dc0120024cb76e3b8f37ac.exe
File created	\??\c:\windows\winsys.exe	375eef7af2dc0120024cb76e3b8f37ac.exe
File opened for modification	\??\c:\windows\winsys.exe	375eef7af2dc0120024cb76e3b8f37ac.exe
File created	\??\c:\windows\lsassv.exe	375eef7af2dc0120024cb76e3b8f37ac.exe
File opened for modification	\??\c:\windows\calc.exe	375eef7af2dc0120024cb76e3b8f37ac.exe
File opened for modification	\??\c:\windows\lsassv.exe	375eef7af2dc0120024cb76e3b8f37ac.exe
File opened for modification	\??\c:\windows\msrpc.exe	375eef7af2dc0120024cb76e3b8f37ac.exe
File created	\??\c:\windows\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\AdobeGammaLoader.scr	375eef7af2dc0120024cb76e3b8f37ac.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}	375eef7af2dc0120024cb76e3b8f37ac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\ThisEXE = "c:\\users\\admin\\appdata\\local\\temp\\375eef7af2dc0120024cb76e3b8f37ac.exe"	375eef7af2dc0120024cb76e3b8f37ac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\VerProg = "142"	375eef7af2dc0120024cb76e3b8f37ac.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2328	375eef7af2dc0120024cb76e3b8f37ac.exe

C:\Users\Admin\AppData\Local\Temp\375eef7af2dc0120024cb76e3b8f37ac.exe
"C:\Users\Admin\AppData\Local\Temp\375eef7af2dc0120024cb76e3b8f37ac.exe"
1⤵
- Modifies firewall policy service
- Adds policy Run key to start application
- Sets service image path in registry
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

4

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery