95ff1da7b20a1c764bc69e6eb03957c06e909d25cb470db3b445cdf010f454d8

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\sembako-cfzjkih.exe\""	4f5b142774646ee49a0e64379cb5cf55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\sembako-cfzjkih.exe\""	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\sembako-cfzjkih.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\sembako-cfzjkih.exe\""	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\sembako-cfzjkih.exe\""	lsass.exe

Modifies visibility of file extensions in Explorer 2 TTPs 5 IoCs

Hidden Files and Directories

T1564.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	4f5b142774646ee49a0e64379cb5cf55.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 5 IoCs

Hidden Files and Directories

T1564.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	4f5b142774646ee49a0e64379cb5cf55.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe

Disables RegEdit via registry modification 10 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4f5b142774646ee49a0e64379cb5cf55.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	4f5b142774646ee49a0e64379cb5cf55.exe

Disables cmd.exe use via registry modification 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	4f5b142774646ee49a0e64379cb5cf55.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	smss.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif	smss.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif	smss.exe

Executes dropped EXE 4 IoCs

pid	Process
2900	smss.exe
2696	winlogon.exe
4508	services.exe
4064	lsass.exe

Adds Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus-cfhikorx = "\"C:\\Windows\\ShellNew\\bbm-xrokihfc.exe\""	4f5b142774646ee49a0e64379cb5cf55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus-cfhikorx = "\"C:\\Windows\\ShellNew\\bbm-xrokihfc.exe\""	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus-1464 = "\"C:\\Users\\Admin\\AppData\\Local\\br3951on.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus	4f5b142774646ee49a0e64379cb5cf55.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus-1464 = "\"C:\\Users\\Admin\\AppData\\Local\\br3951on.exe\""	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus-cfhikorx = "\"C:\\Windows\\ShellNew\\bbm-xrokihfc.exe\""	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus-1464 = "\"C:\\Users\\Admin\\AppData\\Local\\br3951on.exe\""	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus-1464 = "\"C:\\Users\\Admin\\AppData\\Local\\br3951on.exe\""	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus-1464 = "\"C:\\Users\\Admin\\AppData\\Local\\br3951on.exe\""	4f5b142774646ee49a0e64379cb5cf55.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus-cfhikorx = "\"C:\\Windows\\ShellNew\\bbm-xrokihfc.exe\""	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus-cfhikorx = "\"C:\\Windows\\ShellNew\\bbm-xrokihfc.exe\""	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus	4f5b142774646ee49a0e64379cb5cf55.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus	services.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DXBLBA.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\cmd-bro-ikx.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	4f5b142774646ee49a0e64379cb5cf55.exe
File opened for modification	C:\Windows\SysWOW64\cmd-bro-ikx.exe	winlogon.exe
File created	C:\Windows\SysWOW64\Admin's Setting.scr	smss.exe
File opened for modification	C:\Windows\SysWOW64\cmd-bro-ikx.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\Admin's Setting.scr	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	services.exe
File created	C:\Windows\SysWOW64\sistem.sys	4f5b142774646ee49a0e64379cb5cf55.exe
File created	C:\Windows\SysWOW64\cmd-bro-ikx.exe	4f5b142774646ee49a0e64379cb5cf55.exe
File opened for modification	C:\Windows\SysWOW64\cmd-bro-ikx.exe	4f5b142774646ee49a0e64379cb5cf55.exe
File opened for modification	C:\Windows\SysWOW64\sistem.sys	4f5b142774646ee49a0e64379cb5cf55.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\DXBLBA.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\cmd-bro-ikx.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	lsass.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\sembako-cfzjkih.exe	smss.exe
File opened for modification	C:\Windows\ShellNew\bbm-xrokihfc.exe	winlogon.exe
File opened for modification	C:\Windows\sembako-cfzjkih.exe	winlogon.exe
File opened for modification	C:\Windows\ShellNew\bbm-xrokihfc.exe	services.exe
File opened for modification	C:\Windows\sembako-cfzjkih.exe	services.exe
File opened for modification	C:\Windows\ShellNew\bbm-xrokihfc.exe	4f5b142774646ee49a0e64379cb5cf55.exe
File opened for modification	C:\Windows\sembako-cfzjkih.exe	4f5b142774646ee49a0e64379cb5cf55.exe
File opened for modification	C:\Windows\ShellNew\bbm-xrokihfc.exe	smss.exe
File opened for modification	C:\Windows\ShellNew\bbm-xrokihfc.exe	lsass.exe
File opened for modification	C:\Windows\sembako-cfzjkih.exe	lsass.exe
File created	C:\Windows\ShellNew\bbm-xrokihfc.exe	4f5b142774646ee49a0e64379cb5cf55.exe
File created	C:\Windows\sembako-cfzjkih.exe	4f5b142774646ee49a0e64379cb5cf55.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings	explorer.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2856	4f5b142774646ee49a0e64379cb5cf55.exe
2900	smss.exe
2696	winlogon.exe
4508	services.exe
4064	lsass.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2244	2856	4f5b142774646ee49a0e64379cb5cf55.exe	90
PID 2856 wrote to memory of 2244	2856	4f5b142774646ee49a0e64379cb5cf55.exe	90
PID 2856 wrote to memory of 2244	2856	4f5b142774646ee49a0e64379cb5cf55.exe	90
PID 2856 wrote to memory of 2900	2856	4f5b142774646ee49a0e64379cb5cf55.exe	94
PID 2856 wrote to memory of 2900	2856	4f5b142774646ee49a0e64379cb5cf55.exe	94
PID 2856 wrote to memory of 2900	2856	4f5b142774646ee49a0e64379cb5cf55.exe	94
PID 2900 wrote to memory of 2696	2900	smss.exe	95
PID 2900 wrote to memory of 2696	2900	smss.exe	95
PID 2900 wrote to memory of 2696	2900	smss.exe	95
PID 2900 wrote to memory of 2464	2900	smss.exe	97
PID 2900 wrote to memory of 2464	2900	smss.exe	97
PID 2900 wrote to memory of 2464	2900	smss.exe	97
PID 2900 wrote to memory of 2436	2900	smss.exe	98
PID 2900 wrote to memory of 2436	2900	smss.exe	98
PID 2900 wrote to memory of 2436	2900	smss.exe	98
PID 2900 wrote to memory of 3140	2900	smss.exe	102
PID 2900 wrote to memory of 3140	2900	smss.exe	102
PID 2900 wrote to memory of 3140	2900	smss.exe	102
PID 2900 wrote to memory of 4508	2900	smss.exe	104
PID 2900 wrote to memory of 4508	2900	smss.exe	104
PID 2900 wrote to memory of 4508	2900	smss.exe	104
PID 2900 wrote to memory of 4064	2900	smss.exe	105
PID 2900 wrote to memory of 4064	2900	smss.exe	105
PID 2900 wrote to memory of 4064	2900	smss.exe	105

C:\Users\Admin\AppData\Local\Temp\4f5b142774646ee49a0e64379cb5cf55.exe
"C:\Users\Admin\AppData\Local\Temp\4f5b142774646ee49a0e64379cb5cf55.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  - Modifies registry class
  PID:2244
- C:\Users\Admin\AppData\Local\smss.exe
  C:\Users\Admin\AppData\Local\smss.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Users\Admin\AppData\Local\winlogon.exe
    C:\Users\Admin\AppData\Local\winlogon.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2696
- - C:\Windows\SysWOW64\at.exe
    at /delete /y
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\at.exe
    at 17:08 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\6084-NendangBro.com"
    3⤵
    PID:2436
- - C:\Windows\SysWOW64\at.exe
    at 11:03 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\6084-NendangBro.com"
    3⤵
    PID:3140
- - C:\Users\Admin\AppData\Local\services.exe
    C:\Users\Admin\AppData\Local\services.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:4508
- - C:\Users\Admin\AppData\Local\lsass.exe
    C:\Users\Admin\AppData\Local\lsass.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:4064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery