betabot | dde59b015e0acd1910513cf1da07f3b17d6530816d663c102ed9ad6ab6d575a5

Windows Service

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	3ig15iqo_1.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	3ig15iqo_1.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	3ig15iqo_1.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	3ig15iqo_1.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

Windows Service

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath	regedit.exe

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/memory/2900-173-0x0000000000290000-0x000000000032D000-memory.dmp	family_vidar
behavioral1/memory/2900-183-0x0000000000400000-0x0000000002400000-memory.dmp	family_vidar

Disables taskbar notifications via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Sets file execution options in registry 2 TTPs 20 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3ig15iqo.exe\DisableExceptionChainValidation	EC81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "zgaxbousge.exe"	3ig15iqo_1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mrtstub.exe\Debugger = "cvjfqkashh.exe"	3ig15iqo_1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe\Debugger = "qhruuofsqt.exe"	3ig15iqo_1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe\Debugger = "zfzhihqsrae.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgr108.exe\Debugger = "nmg.exe"	3ig15iqo_1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3ig15iqo.exe	EC81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mrtstub.exe\Debugger = "uibqppglauu.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgr108.exe	3ig15iqo_1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "vwkmbsgsmco.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "eppzno.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe	3ig15iqo_1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mrtstub.exe	3ig15iqo_1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe	3ig15iqo_1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mrtstub.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe	3ig15iqo_1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe\Debugger = "sowpjcjknj.exe"	3ig15iqo_1.exe

Sets service image path in registry 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\ImagePath	regedit.exe

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0006000000016fb9-44.dat	aspack_v212_v242
behavioral1/files/0x0006000000017535-52.dat	aspack_v212_v242
behavioral1/files/0x0006000000017535-50.dat	aspack_v212_v242
behavioral1/files/0x0006000000016fb5-46.dat	aspack_v212_v242

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe

Executes dropped EXE 15 IoCs

pid	Process
2896	setup_install.exe
1644	Fri051bef0a158b9.exe
1928	Fri05acd872029bc7.exe
2816	Fri058f479171732c959.exe
2900	Fri059bb475f9c.exe
2876	Fri05cb95f8bb00f6e1c.exe
1972	Fri052297d9e8ac1.exe
1244	Fri050dad867a09bc1.exe
1420	Fri05090e6b571e139.exe
2228	Fri05b4b202015e2b3c.exe
2536	Fri050dad867a09bc1.tmp
2320	Fri05b4b202015e2b3c.exe
1012	EC81.exe
960	BC5.exe
1432	3ig15iqo_1.exe

Loads dropped DLL 63 IoCs

pid	Process
1064	dde59b015e0acd1910513cf1da07f3b17d6530816d663c102ed9ad6ab6d575a5.exe
1064	dde59b015e0acd1910513cf1da07f3b17d6530816d663c102ed9ad6ab6d575a5.exe
1064	dde59b015e0acd1910513cf1da07f3b17d6530816d663c102ed9ad6ab6d575a5.exe
2896	setup_install.exe
2896	setup_install.exe
2896	setup_install.exe
2896	setup_install.exe
2896	setup_install.exe
2896	setup_install.exe
2896	setup_install.exe
2896	setup_install.exe
1352	cmd.exe
1592	cmd.exe
1592	cmd.exe
1928	Fri05acd872029bc7.exe
1928	Fri05acd872029bc7.exe
556	cmd.exe
1008	cmd.exe
680	cmd.exe
680	cmd.exe
2900	Fri059bb475f9c.exe
2900	Fri059bb475f9c.exe
2816	Fri058f479171732c959.exe
2816	Fri058f479171732c959.exe
2876	Fri05cb95f8bb00f6e1c.exe
2876	Fri05cb95f8bb00f6e1c.exe
2044	cmd.exe
1972	Fri052297d9e8ac1.exe
1972	Fri052297d9e8ac1.exe
576	cmd.exe
476	cmd.exe
1244	Fri050dad867a09bc1.exe
1244	Fri050dad867a09bc1.exe
1244	Fri050dad867a09bc1.exe
2536	Fri050dad867a09bc1.tmp
2536	Fri050dad867a09bc1.tmp
2536	Fri050dad867a09bc1.tmp
696	WerFault.exe
696	WerFault.exe
696	WerFault.exe
696	WerFault.exe
2916	WerFault.exe
2916	WerFault.exe
2916	WerFault.exe
2916	WerFault.exe
1384	Explorer.EXE
1384	Explorer.EXE
2704	WerFault.exe
2704	WerFault.exe
2704	WerFault.exe
2704	WerFault.exe
2704	WerFault.exe
2140	WerFault.exe
2140	WerFault.exe
2140	WerFault.exe
2140	WerFault.exe
2624	WerFault.exe
2624	WerFault.exe
2624	WerFault.exe
2624	WerFault.exe
2624	WerFault.exe
2140	WerFault.exe
2956	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Java Updater = "C:\\ProgramData\\Java Updater\\3ig15iqo.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Updater = "\"C:\\ProgramData\\Java Updater\\3ig15iqo.exe\""	explorer.exe

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\AntiVirService	3ig15iqo_1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus	3ig15iqo_1.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3ig15iqo_1.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EC81.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Java Updater\desktop.ini	explorer.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

pid	Process
1012	EC81.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
1432	3ig15iqo_1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
696	2896	WerFault.exe	28
2916	2900	WerFault.exe	32
2704	1972	WerFault.exe	34
2140	2816	WerFault.exe	39
2624	2876	WerFault.exe	38
760	1064	WerFault.exe	27
1660	2140	WerFault.exe	62

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fri05acd872029bc7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fri05acd872029bc7.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Fri05acd872029bc7.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	EC81.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EC81.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3ig15iqo_1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3ig15iqo_1.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task/Job

pid	Process
1896	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	explorer.exe

Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	explorer.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	explorer.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	explorer.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Fri059bb475f9c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	Fri059bb475f9c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	Fri059bb475f9c.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\3ig15iqo_1.exe:1BB7FB68	explorer.exe
File created	C:\Users\Admin\AppData\Local\Temp\3ig15iqo_1.exe:1BB7FB68	explorer.exe

Runs regedit.exe 1 IoCs

pid	Process
2764	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1928	Fri05acd872029bc7.exe
1928	Fri05acd872029bc7.exe
1220	powershell.exe
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE
1384	Explorer.EXE

Suspicious behavior: MapViewOfSection 27 IoCs

pid	Process
1928	Fri05acd872029bc7.exe
1012	EC81.exe
1012	EC81.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
2956	explorer.exe
1432	3ig15iqo_1.exe
1432	3ig15iqo_1.exe
2956	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1644	Fri051bef0a158b9.exe
Token: SeDebugPrivilege	1420	Fri05090e6b571e139.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeDebugPrivilege	1012	EC81.exe
Token: SeRestorePrivilege	1012	EC81.exe
Token: SeBackupPrivilege	1012	EC81.exe
Token: SeLoadDriverPrivilege	1012	EC81.exe
Token: SeCreatePagefilePrivilege	1012	EC81.exe
Token: SeShutdownPrivilege	1012	EC81.exe
Token: SeTakeOwnershipPrivilege	1012	EC81.exe
Token: SeChangeNotifyPrivilege	1012	EC81.exe
Token: SeCreateTokenPrivilege	1012	EC81.exe
Token: SeMachineAccountPrivilege	1012	EC81.exe
Token: SeSecurityPrivilege	1012	EC81.exe
Token: SeAssignPrimaryTokenPrivilege	1012	EC81.exe
Token: SeCreateGlobalPrivilege	1012	EC81.exe
Token: 33	1012	EC81.exe
Token: SeDebugPrivilege	2956	explorer.exe
Token: SeRestorePrivilege	2956	explorer.exe
Token: SeBackupPrivilege	2956	explorer.exe
Token: SeLoadDriverPrivilege	2956	explorer.exe
Token: SeCreatePagefilePrivilege	2956	explorer.exe
Token: SeShutdownPrivilege	2956	explorer.exe
Token: SeTakeOwnershipPrivilege	2956	explorer.exe
Token: SeChangeNotifyPrivilege	2956	explorer.exe
Token: SeCreateTokenPrivilege	2956	explorer.exe
Token: SeMachineAccountPrivilege	2956	explorer.exe
Token: SeSecurityPrivilege	2956	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	2956	explorer.exe
Token: SeCreateGlobalPrivilege	2956	explorer.exe
Token: 33	2956	explorer.exe
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeDebugPrivilege	1432	3ig15iqo_1.exe
Token: SeRestorePrivilege	1432	3ig15iqo_1.exe
Token: SeBackupPrivilege	1432	3ig15iqo_1.exe
Token: SeLoadDriverPrivilege	1432	3ig15iqo_1.exe
Token: SeCreatePagefilePrivilege	1432	3ig15iqo_1.exe
Token: SeShutdownPrivilege	1432	3ig15iqo_1.exe
Token: SeTakeOwnershipPrivilege	1432	3ig15iqo_1.exe
Token: SeChangeNotifyPrivilege	1432	3ig15iqo_1.exe
Token: SeCreateTokenPrivilege	1432	3ig15iqo_1.exe
Token: SeMachineAccountPrivilege	1432	3ig15iqo_1.exe
Token: SeSecurityPrivilege	1432	3ig15iqo_1.exe
Token: SeAssignPrimaryTokenPrivilege	1432	3ig15iqo_1.exe
Token: SeCreateGlobalPrivilege	1432	3ig15iqo_1.exe
Token: 33	1432	3ig15iqo_1.exe
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeCreatePagefilePrivilege	1432	3ig15iqo_1.exe
Token: SeCreatePagefilePrivilege	1432	3ig15iqo_1.exe
Token: SeCreatePagefilePrivilege	1432	3ig15iqo_1.exe
Token: SeCreatePagefilePrivilege	1432	3ig15iqo_1.exe
Token: SeCreatePagefilePrivilege	1432	3ig15iqo_1.exe
Token: SeDebugPrivilege	2764	regedit.exe
Token: SeRestorePrivilege	2764	regedit.exe
Token: SeBackupPrivilege	2764	regedit.exe
Token: SeLoadDriverPrivilege	2764	regedit.exe
Token: SeCreatePagefilePrivilege	2764	regedit.exe
Token: SeShutdownPrivilege	2764	regedit.exe
Token: SeTakeOwnershipPrivilege	2764	regedit.exe
Token: SeChangeNotifyPrivilege	2764	regedit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 2896	1064	dde59b015e0acd1910513cf1da07f3b17d6530816d663c102ed9ad6ab6d575a5.exe	28
PID 1064 wrote to memory of 2896	1064	dde59b015e0acd1910513cf1da07f3b17d6530816d663c102ed9ad6ab6d575a5.exe	28
PID 1064 wrote to memory of 2896	1064	dde59b015e0acd1910513cf1da07f3b17d6530816d663c102ed9ad6ab6d575a5.exe	28
PID 1064 wrote to memory of 2896	1064	dde59b015e0acd1910513cf1da07f3b17d6530816d663c102ed9ad6ab6d575a5.exe	28
PID 1064 wrote to memory of 2896	1064	dde59b015e0acd1910513cf1da07f3b17d6530816d663c102ed9ad6ab6d575a5.exe	28
PID 1064 wrote to memory of 2896	1064	dde59b015e0acd1910513cf1da07f3b17d6530816d663c102ed9ad6ab6d575a5.exe	28
PID 1064 wrote to memory of 2896	1064	dde59b015e0acd1910513cf1da07f3b17d6530816d663c102ed9ad6ab6d575a5.exe	28
PID 2896 wrote to memory of 2544	2896	setup_install.exe	30
PID 2896 wrote to memory of 2544	2896	setup_install.exe	30
PID 2896 wrote to memory of 2544	2896	setup_install.exe	30
PID 2896 wrote to memory of 2544	2896	setup_install.exe	30
PID 2896 wrote to memory of 2544	2896	setup_install.exe	30
PID 2896 wrote to memory of 2544	2896	setup_install.exe	30
PID 2896 wrote to memory of 2544	2896	setup_install.exe	30
PID 2896 wrote to memory of 2044	2896	setup_install.exe	49
PID 2896 wrote to memory of 2044	2896	setup_install.exe	49
PID 2896 wrote to memory of 2044	2896	setup_install.exe	49
PID 2896 wrote to memory of 2044	2896	setup_install.exe	49
PID 2896 wrote to memory of 2044	2896	setup_install.exe	49
PID 2896 wrote to memory of 2044	2896	setup_install.exe	49
PID 2896 wrote to memory of 2044	2896	setup_install.exe	49
PID 2896 wrote to memory of 1592	2896	setup_install.exe	48
PID 2896 wrote to memory of 1592	2896	setup_install.exe	48
PID 2896 wrote to memory of 1592	2896	setup_install.exe	48
PID 2896 wrote to memory of 1592	2896	setup_install.exe	48
PID 2896 wrote to memory of 1592	2896	setup_install.exe	48
PID 2896 wrote to memory of 1592	2896	setup_install.exe	48
PID 2896 wrote to memory of 1592	2896	setup_install.exe	48
PID 2896 wrote to memory of 548	2896	setup_install.exe	47
PID 2896 wrote to memory of 548	2896	setup_install.exe	47
PID 2896 wrote to memory of 548	2896	setup_install.exe	47
PID 2896 wrote to memory of 548	2896	setup_install.exe	47
PID 2896 wrote to memory of 548	2896	setup_install.exe	47
PID 2896 wrote to memory of 548	2896	setup_install.exe	47
PID 2896 wrote to memory of 548	2896	setup_install.exe	47
PID 2896 wrote to memory of 680	2896	setup_install.exe	46
PID 2896 wrote to memory of 680	2896	setup_install.exe	46
PID 2896 wrote to memory of 680	2896	setup_install.exe	46
PID 2896 wrote to memory of 680	2896	setup_install.exe	46
PID 2896 wrote to memory of 680	2896	setup_install.exe	46
PID 2896 wrote to memory of 680	2896	setup_install.exe	46
PID 2896 wrote to memory of 680	2896	setup_install.exe	46
PID 2896 wrote to memory of 476	2896	setup_install.exe	45
PID 2896 wrote to memory of 476	2896	setup_install.exe	45
PID 2896 wrote to memory of 476	2896	setup_install.exe	45
PID 2896 wrote to memory of 476	2896	setup_install.exe	45
PID 2896 wrote to memory of 476	2896	setup_install.exe	45
PID 2896 wrote to memory of 476	2896	setup_install.exe	45
PID 2896 wrote to memory of 476	2896	setup_install.exe	45
PID 2896 wrote to memory of 1008	2896	setup_install.exe	44
PID 2896 wrote to memory of 1008	2896	setup_install.exe	44
PID 2896 wrote to memory of 1008	2896	setup_install.exe	44
PID 2896 wrote to memory of 1008	2896	setup_install.exe	44
PID 2896 wrote to memory of 1008	2896	setup_install.exe	44
PID 2896 wrote to memory of 1008	2896	setup_install.exe	44
PID 2896 wrote to memory of 1008	2896	setup_install.exe	44
PID 2896 wrote to memory of 1352	2896	setup_install.exe	43
PID 2896 wrote to memory of 1352	2896	setup_install.exe	43
PID 2896 wrote to memory of 1352	2896	setup_install.exe	43
PID 2896 wrote to memory of 1352	2896	setup_install.exe	43
PID 2896 wrote to memory of 1352	2896	setup_install.exe	43
PID 2896 wrote to memory of 1352	2896	setup_install.exe	43
PID 2896 wrote to memory of 1352	2896	setup_install.exe	43
PID 2896 wrote to memory of 556	2896	setup_install.exe	42

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384
- C:\Users\Admin\AppData\Local\Temp\dde59b015e0acd1910513cf1da07f3b17d6530816d663c102ed9ad6ab6d575a5.exe
  "C:\Users\Admin\AppData\Local\Temp\dde59b015e0acd1910513cf1da07f3b17d6530816d663c102ed9ad6ab6d575a5.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Users\Admin\AppData\Local\Temp\7zS824B9646\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS824B9646\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:2544
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri05090e6b571e139.exe
      4⤵
      Loads dropped DLL
      PID:576
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri058f479171732c959.exe
      4⤵
      Loads dropped DLL
      PID:556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri051bef0a158b9.exe
      4⤵
      Loads dropped DLL
      PID:1352
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri05cb95f8bb00f6e1c.exe
      4⤵
      Loads dropped DLL
      PID:1008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri050dad867a09bc1.exe
      4⤵
      Loads dropped DLL
      PID:476
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri059bb475f9c.exe
      4⤵
      Loads dropped DLL
      PID:680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri05b4b202015e2b3c.exe
      4⤵
      PID:548
    - - C:\Users\Admin\AppData\Local\Temp\7zS824B9646\Fri05b4b202015e2b3c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS824B9646\Fri05b4b202015e2b3c.exe"
        5⤵
        Executes dropped EXE
        
        PID:2320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri05acd872029bc7.exe
      4⤵
      Loads dropped DLL
      PID:1592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri052297d9e8ac1.exe
      4⤵
      Loads dropped DLL
      PID:2044
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 436
      4⤵
      Loads dropped DLL
      Program crash
      PID:696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 348
    3⤵
    - Program crash
    PID:760
- C:\Users\Admin\AppData\Local\Temp\EC81.exe
  C:\Users\Admin\AppData\Local\Temp\EC81.exe
  2⤵
  - Sets file execution options in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks processor information in registry
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:1012
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Modifies firewall policy service
    - Sets file execution options in registry
    - Checks BIOS information in registry
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops desktop.ini file(s)
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies Internet Explorer Protected Mode
    - Modifies Internet Explorer Protected Mode Banner
    - Modifies Internet Explorer settings
    - NTFS ADS
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2956
  - - C:\Users\Admin\AppData\Local\Temp\3ig15iqo_1.exe
      /suac
      4⤵
      Modifies firewall policy service
      Sets file execution options in registry
      Executes dropped EXE
      Checks for any installed AV software in registry
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Checks processor information in registry
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1432
    - - C:\Windows\SysWOW64\regedit.exe
        
        "C:\Windows\SysWOW64\regedit.exe"
        5⤵
        Modifies security service
        Sets file execution options in registry
        Sets service image path in registry
        Runs regedit.exe
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x1BB70478" /TR "C:\PROGRA~3\JAVAUP~1\3ig15iqo.exe" /RL HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:1896
- C:\Users\Admin\AppData\Local\Temp\BC5.exe
  C:\Users\Admin\AppData\Local\Temp\BC5.exe
  2⤵
  - Executes dropped EXE
  PID:960

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1344

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1641189315-1809839235-517594404-1022734100861892378-1610385236-132849277526373527"
1⤵
PID:2732

C:\Users\Admin\AppData\Local\Temp\7zS824B9646\Fri051bef0a158b9.exe
Fri051bef0a158b9.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Users\Admin\AppData\Local\Temp\7zS824B9646\Fri059bb475f9c.exe
Fri059bb475f9c.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:2900
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 936
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:2916

C:\Users\Admin\AppData\Local\Temp\7zS824B9646\Fri052297d9e8ac1.exe
Fri052297d9e8ac1.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 592
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:2704

C:\Users\Admin\AppData\Local\Temp\7zS824B9646\Fri05090e6b571e139.exe
Fri05090e6b571e139.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Users\Admin\AppData\Local\Temp\7zS824B9646\Fri050dad867a09bc1.exe
Fri050dad867a09bc1.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1244
- C:\Users\Admin\AppData\Local\Temp\is-90FM6.tmp\Fri050dad867a09bc1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-90FM6.tmp\Fri050dad867a09bc1.tmp" /SL5="$301BA,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS824B9646\Fri050dad867a09bc1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2536

C:\Users\Admin\AppData\Local\Temp\7zS824B9646\Fri05b4b202015e2b3c.exe
Fri05b4b202015e2b3c.exe
1⤵
- Executes dropped EXE
PID:2228

C:\Users\Admin\AppData\Local\Temp\7zS824B9646\Fri05cb95f8bb00f6e1c.exe
Fri05cb95f8bb00f6e1c.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 392
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:2624

C:\Users\Admin\AppData\Local\Temp\7zS824B9646\Fri058f479171732c959.exe
Fri058f479171732c959.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 496
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:2140
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 624
    3⤵
    - Program crash
    PID:1660

C:\Users\Admin\AppData\Local\Temp\7zS824B9646\Fri05acd872029bc7.exe
Fri05acd872029bc7.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1928

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery