170b0b2f1444fc216b0d5e4905a0441053c41927eb85d91dc03ee5c8c1735279

Modify Registry

Processes:

44e6a17304e6f70010f378b1ddb272c3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	44e6a17304e6f70010f378b1ddb272c3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Microsoft\\Pluguin.exe"	44e6a17304e6f70010f378b1ddb272c3.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	44e6a17304e6f70010f378b1ddb272c3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\Microsoft\\Pluguin.exe"	44e6a17304e6f70010f378b1ddb272c3.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

44e6a17304e6f70010f378b1ddb272c3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{J117WMVM-32D1-5FCT-JK8F-E48807I25UR5}	44e6a17304e6f70010f378b1ddb272c3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{J117WMVM-32D1-5FCT-JK8F-E48807I25UR5}\StubPath = "C:\\Windows\\Microsoft\\Pluguin.exe Restart"	44e6a17304e6f70010f378b1ddb272c3.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3812-63-0x0000000024070000-0x00000000240D0000-memory.dmp	upx
behavioral2/memory/4804-68-0x0000000024070000-0x00000000240D0000-memory.dmp	upx
behavioral2/memory/4804-67-0x0000000024070000-0x00000000240D0000-memory.dmp	upx
behavioral2/memory/3812-3-0x0000000024010000-0x0000000024070000-memory.dmp	upx
behavioral2/memory/2184-134-0x00000000240D0000-0x0000000024130000-memory.dmp	upx
behavioral2/memory/4804-777-0x0000000024070000-0x00000000240D0000-memory.dmp	upx
behavioral2/memory/2184-1458-0x00000000240D0000-0x0000000024130000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

44e6a17304e6f70010f378b1ddb272c3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Avgnt = "C:\\Windows\\Microsoft\\Pluguin.exe"	44e6a17304e6f70010f378b1ddb272c3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Avirnt = "C:\\Windows\\Microsoft\\Pluguin.exe"	44e6a17304e6f70010f378b1ddb272c3.exe

Drops file in Windows directory 2 IoCs

Processes:

44e6a17304e6f70010f378b1ddb272c3.exe

description	ioc	process
File created	C:\Windows\Microsoft\Pluguin.exe	44e6a17304e6f70010f378b1ddb272c3.exe
File opened for modification	C:\Windows\Microsoft\Pluguin.exe	44e6a17304e6f70010f378b1ddb272c3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3460 4492 WerFault.exe Pluguin.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

44e6a17304e6f70010f378b1ddb272c3.exe

pid process

3812 44e6a17304e6f70010f378b1ddb272c3.exe
3812 44e6a17304e6f70010f378b1ddb272c3.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

44e6a17304e6f70010f378b1ddb272c3.exe

pid process

3812 44e6a17304e6f70010f378b1ddb272c3.exe

pid	pid_target	process	target process
3460	4492	WerFault.exe	Pluguin.exe

pid	process
3812	44e6a17304e6f70010f378b1ddb272c3.exe
3812	44e6a17304e6f70010f378b1ddb272c3.exe

pid	process
3812	44e6a17304e6f70010f378b1ddb272c3.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

44e6a17304e6f70010f378b1ddb272c3.exe

description	pid	process	target process
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE
PID 3812 wrote to memory of 3392	3812	44e6a17304e6f70010f378b1ddb272c3.exe	Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\44e6a17304e6f70010f378b1ddb272c3.exe
"C:\Users\Admin\AppData\Local\Temp\44e6a17304e6f70010f378b1ddb272c3.exe"
1⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3812

C:\Windows\SysWOW64\explorer.exe
explorer.exe
2⤵
PID:4804

C:\Users\Admin\AppData\Local\Temp\44e6a17304e6f70010f378b1ddb272c3.exe
"C:\Users\Admin\AppData\Local\Temp\44e6a17304e6f70010f378b1ddb272c3.exe"
2⤵
PID:2184

C:\Windows\Microsoft\Pluguin.exe
"C:\Windows\Microsoft\Pluguin.exe"
3⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 560
4⤵
- Program crash
PID:3460

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4492 -ip 4492
1⤵
PID:4144

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry