djvu | 629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	2EOG8eHQ5doCM_CeBj4UlOUE.exe

Executes dropped EXE 9 IoCs

pid	Process
1344	2EOG8eHQ5doCM_CeBj4UlOUE.exe
4380	e0cbefcb1af40c7d4aff4aca26621a98.exe
4564	2EOG8eHQ5doCM_CeBj4UlOUE.exe
2856	InstallSetup8.exe
4480	BroomSetup.exe
5060	rty27.exe
692	nsrFD10.tmp
3076	toolspub1.exe
3868	e0cbefcb1af40c7d4aff4aca26621a98.exe

Loads dropped DLL 4 IoCs

pid	Process
2856	InstallSetup8.exe
2856	InstallSetup8.exe
692	nsrFD10.tmp
692	nsrFD10.tmp

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1736	icacls.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000200000001e6fd-975.dat	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
153	api.2ip.ua
154	api.2ip.ua
6	api.myip.com
7	api.myip.com
17	ipinfo.io
19	ipinfo.io

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4596	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4188	692	WerFault.exe	111
1612	4148	WerFault.exe	160

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	nsrFD10.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	nsrFD10.tmp

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
1420	schtasks.exe
1820	schtasks.exe
3468	schtasks.exe
4616	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
396	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	e0cbefcb1af40c7d4aff4aca26621a98.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5008	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe
5008	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe
5008	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe
5008	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe
3076	toolspub1.exe
3076	toolspub1.exe
692	nsrFD10.tmp
692	nsrFD10.tmp
4112	Conhost.exe
4112	Conhost.exe
4112	Conhost.exe
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
4380	e0cbefcb1af40c7d4aff4aca26621a98.exe
4380	e0cbefcb1af40c7d4aff4aca26621a98.exe
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found
3444	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3076	toolspub1.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4112	Conhost.exe
Token: SeShutdownPrivilege	3444	Process not Found
Token: SeCreatePagefilePrivilege	3444	Process not Found
Token: SeDebugPrivilege	4380	e0cbefcb1af40c7d4aff4aca26621a98.exe
Token: SeImpersonatePrivilege	4380	e0cbefcb1af40c7d4aff4aca26621a98.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4480	BroomSetup.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 1344	5008	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	98
PID 5008 wrote to memory of 1344	5008	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	98
PID 5008 wrote to memory of 1344	5008	629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe	98
PID 1344 wrote to memory of 1420	1344	2EOG8eHQ5doCM_CeBj4UlOUE.exe	99
PID 1344 wrote to memory of 1420	1344	2EOG8eHQ5doCM_CeBj4UlOUE.exe	99
PID 1344 wrote to memory of 1420	1344	2EOG8eHQ5doCM_CeBj4UlOUE.exe	99
PID 1344 wrote to memory of 4380	1344	2EOG8eHQ5doCM_CeBj4UlOUE.exe	101
PID 1344 wrote to memory of 4380	1344	2EOG8eHQ5doCM_CeBj4UlOUE.exe	101
PID 1344 wrote to memory of 4380	1344	2EOG8eHQ5doCM_CeBj4UlOUE.exe	101
PID 1344 wrote to memory of 2856	1344	2EOG8eHQ5doCM_CeBj4UlOUE.exe	103
PID 1344 wrote to memory of 2856	1344	2EOG8eHQ5doCM_CeBj4UlOUE.exe	103
PID 1344 wrote to memory of 2856	1344	2EOG8eHQ5doCM_CeBj4UlOUE.exe	103
PID 2856 wrote to memory of 4480	2856	InstallSetup8.exe	104
PID 2856 wrote to memory of 4480	2856	InstallSetup8.exe	104
PID 2856 wrote to memory of 4480	2856	InstallSetup8.exe	104
PID 1344 wrote to memory of 5060	1344	2EOG8eHQ5doCM_CeBj4UlOUE.exe	105
PID 1344 wrote to memory of 5060	1344	2EOG8eHQ5doCM_CeBj4UlOUE.exe	105
PID 4480 wrote to memory of 628	4480	BroomSetup.exe	106
PID 4480 wrote to memory of 628	4480	BroomSetup.exe	106
PID 4480 wrote to memory of 628	4480	BroomSetup.exe	106
PID 628 wrote to memory of 3324	628	cmd.exe	108
PID 628 wrote to memory of 3324	628	cmd.exe	108
PID 628 wrote to memory of 3324	628	cmd.exe	108
PID 628 wrote to memory of 1820	628	cmd.exe	109
PID 628 wrote to memory of 1820	628	cmd.exe	109
PID 628 wrote to memory of 1820	628	cmd.exe	109
PID 2856 wrote to memory of 692	2856	InstallSetup8.exe	111
PID 2856 wrote to memory of 692	2856	InstallSetup8.exe	111
PID 2856 wrote to memory of 692	2856	InstallSetup8.exe	111
PID 1344 wrote to memory of 3076	1344	2EOG8eHQ5doCM_CeBj4UlOUE.exe	112
PID 1344 wrote to memory of 3076	1344	2EOG8eHQ5doCM_CeBj4UlOUE.exe	112
PID 1344 wrote to memory of 3076	1344	2EOG8eHQ5doCM_CeBj4UlOUE.exe	112
PID 4380 wrote to memory of 4112	4380	e0cbefcb1af40c7d4aff4aca26621a98.exe	126
PID 4380 wrote to memory of 4112	4380	e0cbefcb1af40c7d4aff4aca26621a98.exe	126
PID 4380 wrote to memory of 4112	4380	e0cbefcb1af40c7d4aff4aca26621a98.exe	126

C:\Users\Admin\AppData\Local\Temp\629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe
"C:\Users\Admin\AppData\Local\Temp\629e031747e94b66f85f83711433a1c3d084ac0a57fbcc58f970be04de2d48cb.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Users\Admin\Documents\GuardFox\2EOG8eHQ5doCM_CeBj4UlOUE.exe
  "C:\Users\Admin\Documents\GuardFox\2EOG8eHQ5doCM_CeBj4UlOUE.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN 2EOG8eHQ5doCM_CeBj4UlOUE.exe /TR "C:\Users\Admin\Documents\GuardFox\2EOG8eHQ5doCM_CeBj4UlOUE.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:1420
- - C:\Users\Admin\AppData\Local\Temp\1000096001\e0cbefcb1af40c7d4aff4aca26621a98.exe
    "C:\Users\Admin\AppData\Local\Temp\1000096001\e0cbefcb1af40c7d4aff4aca26621a98.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4380
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:4112
  - - C:\Users\Admin\AppData\Local\Temp\1000096001\e0cbefcb1af40c7d4aff4aca26621a98.exe
      "C:\Users\Admin\AppData\Local\Temp\1000096001\e0cbefcb1af40c7d4aff4aca26621a98.exe"
      4⤵
      Executes dropped EXE
      Modifies data under HKEY_USERS
      PID:3868
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:2080
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:1912
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:1616
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4116
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        
        PID:3580
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:4396
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:3468
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:2768
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:2728
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:3720
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        
        PID:2412
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:4616
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        Launches sc.exe
        
        PID:4596
- - C:\Users\Admin\AppData\Local\Temp\1000100001\InstallSetup8.exe
    "C:\Users\Admin\AppData\Local\Temp\1000100001\InstallSetup8.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
      C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4480
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:628
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:3324
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        6⤵
        Creates scheduled task(s)
        
        PID:1820
  - - C:\Users\Admin\AppData\Local\Temp\nsrFD10.tmp
      C:\Users\Admin\AppData\Local\Temp\nsrFD10.tmp
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:692
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsrFD10.tmp" & del "C:\ProgramData\*.dll"" & exit
        5⤵
        
        PID:3712
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        6⤵
        Delays execution with timeout.exe
        
        PID:396
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 692 -s 2352
        5⤵
        Program crash
        
        PID:4188
- - C:\Users\Admin\AppData\Local\Temp\1000101001\rty27.exe
    "C:\Users\Admin\AppData\Local\Temp\1000101001\rty27.exe"
    3⤵
    - Executes dropped EXE
    PID:5060
- - C:\Users\Admin\AppData\Local\Temp\1000102001\toolspub1.exe
    "C:\Users\Admin\AppData\Local\Temp\1000102001\toolspub1.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:3076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3116

C:\Users\Admin\Documents\GuardFox\2EOG8eHQ5doCM_CeBj4UlOUE.exe
C:\Users\Admin\Documents\GuardFox\2EOG8eHQ5doCM_CeBj4UlOUE.exe
1⤵
- Executes dropped EXE
PID:4564

C:\Users\Admin\AppData\Local\Temp\C32C.exe
C:\Users\Admin\AppData\Local\Temp\C32C.exe
1⤵
PID:1940

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:2892

C:\Users\Admin\Documents\GuardFox\2EOG8eHQ5doCM_CeBj4UlOUE.exe
C:\Users\Admin\Documents\GuardFox\2EOG8eHQ5doCM_CeBj4UlOUE.exe
1⤵
PID:4676

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4112

C:\Users\Admin\AppData\Roaming\vcuijga
C:\Users\Admin\AppData\Roaming\vcuijga
1⤵
PID:4088

C:\Users\Admin\AppData\Local\Temp\DEC3.exe
C:\Users\Admin\AppData\Local\Temp\DEC3.exe
1⤵
PID:1332
- C:\Users\Admin\AppData\Local\Temp\DEC3.exe
  C:\Users\Admin\AppData\Local\Temp\DEC3.exe
  2⤵
  PID:1748
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\71a81080-19ca-456a-9a4e-aadf77cb90b1" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:1736
- - C:\Users\Admin\AppData\Local\Temp\DEC3.exe
    "C:\Users\Admin\AppData\Local\Temp\DEC3.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\DEC3.exe
      "C:\Users\Admin\AppData\Local\Temp\DEC3.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:4148
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 568
        5⤵
        Program crash
        
        PID:1612

C:\Users\Admin\AppData\Local\Temp\9CC.exe
C:\Users\Admin\AppData\Local\Temp\9CC.exe
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 692 -ip 692
1⤵
PID:1132

C:\Users\Admin\AppData\Local\Temp\84C9.exe
C:\Users\Admin\AppData\Local\Temp\84C9.exe
1⤵
PID:3324

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2500

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4148 -ip 4148
1⤵
PID:3916

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2704

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4032

C:\Users\Admin\Documents\GuardFox\2EOG8eHQ5doCM_CeBj4UlOUE.exe
C:\Users\Admin\Documents\GuardFox\2EOG8eHQ5doCM_CeBj4UlOUE.exe
1⤵
PID:3156

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:2728

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery