amadey | 41341a270a56d93bc7d7b84bba433894cd802e1f658c550c909648875655ee7a

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

Processes:

jFs2AGKtO1oE9oaBJSb_xfmK.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jFs2AGKtO1oE9oaBJSb_xfmK.exe

Windows security bypass 2 TTPs 2 IoCs

Disable or Modify Tools

Modify Registry

Processes:

jFs2AGKtO1oE9oaBJSb_xfmK.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	jFs2AGKtO1oE9oaBJSb_xfmK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\GuardFox\jFs2AGKtO1oE9oaBJSb_xfmK.exe = "0"	jFs2AGKtO1oE9oaBJSb_xfmK.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

e5W2c6C_Ffjf6gm9xlreVkWg.exejFs2AGKtO1oE9oaBJSb_xfmK.exe7625.exeUtsysc.execqwh99pDl8DJKLTFsK7r3dKV.exe2WikyfhIg3qcjejHn3mPOq9j.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	e5W2c6C_Ffjf6gm9xlreVkWg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	jFs2AGKtO1oE9oaBJSb_xfmK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	7625.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	Utsysc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	cqwh99pDl8DJKLTFsK7r3dKV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	2WikyfhIg3qcjejHn3mPOq9j.exe

Executes dropped EXE 13 IoCs

Processes:

uZEwWsj41x_YXbINNO3T1Dor.exee5W2c6C_Ffjf6gm9xlreVkWg.exejFs2AGKtO1oE9oaBJSb_xfmK.execqwh99pDl8DJKLTFsK7r3dKV.exeEXka605mTeWhm55sj8YFdBKM.exeWmcAeyPH9OdJPuX7sT7d_UMh.exe7625.exe7625.exeUtsysc.exeUtsysc.exeUtsysc.exeUtsysc.exefVCjIlatPIFbu9GHhTIX.exe

pid	process
3144	uZEwWsj41x_YXbINNO3T1Dor.exe
2656	e5W2c6C_Ffjf6gm9xlreVkWg.exe
3140	jFs2AGKtO1oE9oaBJSb_xfmK.exe
3456	cqwh99pDl8DJKLTFsK7r3dKV.exe
3552	EXka605mTeWhm55sj8YFdBKM.exe
2588	WmcAeyPH9OdJPuX7sT7d_UMh.exe
1300	7625.exe
4484	7625.exe
2708	Utsysc.exe
1612	Utsysc.exe
744	Utsysc.exe
1952	Utsysc.exe
4756	fVCjIlatPIFbu9GHhTIX.exe

Loads dropped DLL 11 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid	process
1736	rundll32.exe
4828	rundll32.exe
2904	rundll32.exe
2884	rundll32.exe
3532	rundll32.exe
4656	rundll32.exe
64	rundll32.exe
404	rundll32.exe
1852	rundll32.exe
1176	rundll32.exe
2708	rundll32.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 3 IoCs

Disable or Modify Tools

Modify Registry

Processes:

jFs2AGKtO1oE9oaBJSb_xfmK.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	jFs2AGKtO1oE9oaBJSb_xfmK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	jFs2AGKtO1oE9oaBJSb_xfmK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Documents\GuardFox\jFs2AGKtO1oE9oaBJSb_xfmK.exe = "0"	jFs2AGKtO1oE9oaBJSb_xfmK.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

cqwh99pDl8DJKLTFsK7r3dKV.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cqwh99pDl8DJKLTFsK7r3dKV.exe
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cqwh99pDl8DJKLTFsK7r3dKV.exe
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cqwh99pDl8DJKLTFsK7r3dKV.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

cqwh99pDl8DJKLTFsK7r3dKV.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV2 = "C:\\Users\\Admin\\AppData\\Local\\AdobeUpdaterV2\\AdobeUpdaterV2.exe"	cqwh99pDl8DJKLTFsK7r3dKV.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

Processes:

jFs2AGKtO1oE9oaBJSb_xfmK.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jFs2AGKtO1oE9oaBJSb_xfmK.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jFs2AGKtO1oE9oaBJSb_xfmK.exe

Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 api.myip.com
9 api.myip.com
10 ipinfo.io
11 ipinfo.io
158 ipinfo.io
159 ipinfo.io

flow	ioc
8	api.myip.com
9	api.myip.com
10	ipinfo.io
11	ipinfo.io
158	ipinfo.io
159	ipinfo.io

Drops file in System32 directory 4 IoCs

Processes:

2WikyfhIg3qcjejHn3mPOq9j.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	2WikyfhIg3qcjejHn3mPOq9j.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	2WikyfhIg3qcjejHn3mPOq9j.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	2WikyfhIg3qcjejHn3mPOq9j.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	2WikyfhIg3qcjejHn3mPOq9j.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

WmcAeyPH9OdJPuX7sT7d_UMh.exeEXka605mTeWhm55sj8YFdBKM.exe7625.exeUtsysc.exeUtsysc.exe

description	pid	process	target process
PID 2588 set thread context of 2392	2588	WmcAeyPH9OdJPuX7sT7d_UMh.exe	RegAsm.exe
PID 3552 set thread context of 4992	3552	EXka605mTeWhm55sj8YFdBKM.exe	RegAsm.exe
PID 1300 set thread context of 4484	1300	7625.exe	7625.exe
PID 2708 set thread context of 1612	2708	Utsysc.exe	Utsysc.exe
PID 744 set thread context of 1952	744	Utsysc.exe	Utsysc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3584 4992 WerFault.exe RegAsm.exe

pid	pid_target	process	target process
3584	4992	WerFault.exe	RegAsm.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

uZEwWsj41x_YXbINNO3T1Dor.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uZEwWsj41x_YXbINNO3T1Dor.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uZEwWsj41x_YXbINNO3T1Dor.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	uZEwWsj41x_YXbINNO3T1Dor.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

cqwh99pDl8DJKLTFsK7r3dKV.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cqwh99pDl8DJKLTFsK7r3dKV.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cqwh99pDl8DJKLTFsK7r3dKV.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2344 schtasks.exe
952 schtasks.exe
3704 schtasks.exe
3716 schtasks.exe

pid	process
2344	schtasks.exe
952	schtasks.exe
3704	schtasks.exe
3716	schtasks.exe

Modifies registry class 2 IoCs

Processes:

2WikyfhIg3qcjejHn3mPOq9j.exee5W2c6C_Ffjf6gm9xlreVkWg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2WikyfhIg3qcjejHn3mPOq9j.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	e5W2c6C_Ffjf6gm9xlreVkWg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2WikyfhIg3qcjejHn3mPOq9j.exeuZEwWsj41x_YXbINNO3T1Dor.execqwh99pDl8DJKLTFsK7r3dKV.exepowershell.exe

pid	process
1616	2WikyfhIg3qcjejHn3mPOq9j.exe
1616	2WikyfhIg3qcjejHn3mPOq9j.exe
1616	2WikyfhIg3qcjejHn3mPOq9j.exe
1616	2WikyfhIg3qcjejHn3mPOq9j.exe
3144	uZEwWsj41x_YXbINNO3T1Dor.exe
3144	uZEwWsj41x_YXbINNO3T1Dor.exe
3456	cqwh99pDl8DJKLTFsK7r3dKV.exe
3456	cqwh99pDl8DJKLTFsK7r3dKV.exe
3456	cqwh99pDl8DJKLTFsK7r3dKV.exe
3456	cqwh99pDl8DJKLTFsK7r3dKV.exe
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3188	powershell.exe
3188	powershell.exe
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488
3488

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3488
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

uZEwWsj41x_YXbINNO3T1Dor.exe

pid process

3144 uZEwWsj41x_YXbINNO3T1Dor.exe

pid	process
3488

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeShutdownPrivilege	3488
Token: SeCreatePagefilePrivilege	3488
Token: SeShutdownPrivilege	3488
Token: SeCreatePagefilePrivilege	3488
Token: SeShutdownPrivilege	3488
Token: SeCreatePagefilePrivilege	3488
Token: SeShutdownPrivilege	3488
Token: SeCreatePagefilePrivilege	3488
Token: SeShutdownPrivilege	3488
Token: SeCreatePagefilePrivilege	3488
Token: SeShutdownPrivilege	3488
Token: SeCreatePagefilePrivilege	3488
Token: SeShutdownPrivilege	3488
Token: SeCreatePagefilePrivilege	3488
Token: SeShutdownPrivilege	3488
Token: SeCreatePagefilePrivilege	3488
Token: SeShutdownPrivilege	3488
Token: SeCreatePagefilePrivilege	3488
Token: SeShutdownPrivilege	3488
Token: SeCreatePagefilePrivilege	3488
Token: SeShutdownPrivilege	3488
Token: SeCreatePagefilePrivilege	3488
Token: SeShutdownPrivilege	3488
Token: SeCreatePagefilePrivilege	3488
Token: SeShutdownPrivilege	3488
Token: SeCreatePagefilePrivilege	3488
Token: SeShutdownPrivilege	3488
Token: SeCreatePagefilePrivilege	3488
Token: SeShutdownPrivilege	3488
Token: SeCreatePagefilePrivilege	3488
Token: SeShutdownPrivilege	3488
Token: SeCreatePagefilePrivilege	3488
Token: SeShutdownPrivilege	3488
Token: SeCreatePagefilePrivilege	3488
Token: SeShutdownPrivilege	3488
Token: SeCreatePagefilePrivilege	3488
Token: SeShutdownPrivilege	3488
Token: SeCreatePagefilePrivilege	3488
Token: SeShutdownPrivilege	3488
Token: SeCreatePagefilePrivilege	3488
Token: SeShutdownPrivilege	3488
Token: SeCreatePagefilePrivilege	3488
Token: SeShutdownPrivilege	3488
Token: SeCreatePagefilePrivilege	3488

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2WikyfhIg3qcjejHn3mPOq9j.exee5W2c6C_Ffjf6gm9xlreVkWg.execontrol.exeWmcAeyPH9OdJPuX7sT7d_UMh.exeEXka605mTeWhm55sj8YFdBKM.exerundll32.exe

description	pid	process	target process
PID 1616 wrote to memory of 3144	1616	2WikyfhIg3qcjejHn3mPOq9j.exe	uZEwWsj41x_YXbINNO3T1Dor.exe
PID 1616 wrote to memory of 3144	1616	2WikyfhIg3qcjejHn3mPOq9j.exe	uZEwWsj41x_YXbINNO3T1Dor.exe
PID 1616 wrote to memory of 3144	1616	2WikyfhIg3qcjejHn3mPOq9j.exe	uZEwWsj41x_YXbINNO3T1Dor.exe
PID 1616 wrote to memory of 2656	1616	2WikyfhIg3qcjejHn3mPOq9j.exe	e5W2c6C_Ffjf6gm9xlreVkWg.exe
PID 1616 wrote to memory of 2656	1616	2WikyfhIg3qcjejHn3mPOq9j.exe	e5W2c6C_Ffjf6gm9xlreVkWg.exe
PID 1616 wrote to memory of 2656	1616	2WikyfhIg3qcjejHn3mPOq9j.exe	e5W2c6C_Ffjf6gm9xlreVkWg.exe
PID 1616 wrote to memory of 3140	1616	2WikyfhIg3qcjejHn3mPOq9j.exe	jFs2AGKtO1oE9oaBJSb_xfmK.exe
PID 1616 wrote to memory of 3140	1616	2WikyfhIg3qcjejHn3mPOq9j.exe	jFs2AGKtO1oE9oaBJSb_xfmK.exe
PID 1616 wrote to memory of 3140	1616	2WikyfhIg3qcjejHn3mPOq9j.exe	jFs2AGKtO1oE9oaBJSb_xfmK.exe
PID 1616 wrote to memory of 3456	1616	2WikyfhIg3qcjejHn3mPOq9j.exe	cqwh99pDl8DJKLTFsK7r3dKV.exe
PID 1616 wrote to memory of 3456	1616	2WikyfhIg3qcjejHn3mPOq9j.exe	cqwh99pDl8DJKLTFsK7r3dKV.exe
PID 1616 wrote to memory of 3456	1616	2WikyfhIg3qcjejHn3mPOq9j.exe	cqwh99pDl8DJKLTFsK7r3dKV.exe
PID 1616 wrote to memory of 3552	1616	2WikyfhIg3qcjejHn3mPOq9j.exe	EXka605mTeWhm55sj8YFdBKM.exe
PID 1616 wrote to memory of 3552	1616	2WikyfhIg3qcjejHn3mPOq9j.exe	EXka605mTeWhm55sj8YFdBKM.exe
PID 1616 wrote to memory of 3552	1616	2WikyfhIg3qcjejHn3mPOq9j.exe	EXka605mTeWhm55sj8YFdBKM.exe
PID 1616 wrote to memory of 2588	1616	2WikyfhIg3qcjejHn3mPOq9j.exe	WmcAeyPH9OdJPuX7sT7d_UMh.exe
PID 1616 wrote to memory of 2588	1616	2WikyfhIg3qcjejHn3mPOq9j.exe	WmcAeyPH9OdJPuX7sT7d_UMh.exe
PID 1616 wrote to memory of 2588	1616	2WikyfhIg3qcjejHn3mPOq9j.exe	WmcAeyPH9OdJPuX7sT7d_UMh.exe
PID 2656 wrote to memory of 1376	2656	e5W2c6C_Ffjf6gm9xlreVkWg.exe	control.exe
PID 2656 wrote to memory of 1376	2656	e5W2c6C_Ffjf6gm9xlreVkWg.exe	control.exe
PID 2656 wrote to memory of 1376	2656	e5W2c6C_Ffjf6gm9xlreVkWg.exe	control.exe
PID 1376 wrote to memory of 1736	1376	control.exe	rundll32.exe
PID 1376 wrote to memory of 1736	1376	control.exe	rundll32.exe
PID 1376 wrote to memory of 1736	1376	control.exe	rundll32.exe
PID 2588 wrote to memory of 964	2588	WmcAeyPH9OdJPuX7sT7d_UMh.exe	RegAsm.exe
PID 2588 wrote to memory of 964	2588	WmcAeyPH9OdJPuX7sT7d_UMh.exe	RegAsm.exe
PID 2588 wrote to memory of 964	2588	WmcAeyPH9OdJPuX7sT7d_UMh.exe	RegAsm.exe
PID 2588 wrote to memory of 4176	2588	WmcAeyPH9OdJPuX7sT7d_UMh.exe	RegAsm.exe
PID 2588 wrote to memory of 4176	2588	WmcAeyPH9OdJPuX7sT7d_UMh.exe	RegAsm.exe
PID 2588 wrote to memory of 4176	2588	WmcAeyPH9OdJPuX7sT7d_UMh.exe	RegAsm.exe
PID 2588 wrote to memory of 4544	2588	WmcAeyPH9OdJPuX7sT7d_UMh.exe	RegAsm.exe
PID 2588 wrote to memory of 4544	2588	WmcAeyPH9OdJPuX7sT7d_UMh.exe	RegAsm.exe
PID 2588 wrote to memory of 4544	2588	WmcAeyPH9OdJPuX7sT7d_UMh.exe	RegAsm.exe
PID 2588 wrote to memory of 2392	2588	WmcAeyPH9OdJPuX7sT7d_UMh.exe	RegAsm.exe
PID 2588 wrote to memory of 2392	2588	WmcAeyPH9OdJPuX7sT7d_UMh.exe	RegAsm.exe
PID 2588 wrote to memory of 2392	2588	WmcAeyPH9OdJPuX7sT7d_UMh.exe	RegAsm.exe
PID 2588 wrote to memory of 2392	2588	WmcAeyPH9OdJPuX7sT7d_UMh.exe	RegAsm.exe
PID 2588 wrote to memory of 2392	2588	WmcAeyPH9OdJPuX7sT7d_UMh.exe	RegAsm.exe
PID 2588 wrote to memory of 2392	2588	WmcAeyPH9OdJPuX7sT7d_UMh.exe	RegAsm.exe
PID 2588 wrote to memory of 2392	2588	WmcAeyPH9OdJPuX7sT7d_UMh.exe	RegAsm.exe
PID 2588 wrote to memory of 2392	2588	WmcAeyPH9OdJPuX7sT7d_UMh.exe	RegAsm.exe
PID 2588 wrote to memory of 2392	2588	WmcAeyPH9OdJPuX7sT7d_UMh.exe	RegAsm.exe
PID 2588 wrote to memory of 2392	2588	WmcAeyPH9OdJPuX7sT7d_UMh.exe	RegAsm.exe
PID 2588 wrote to memory of 2392	2588	WmcAeyPH9OdJPuX7sT7d_UMh.exe	RegAsm.exe
PID 3552 wrote to memory of 3648	3552	EXka605mTeWhm55sj8YFdBKM.exe	RegAsm.exe
PID 3552 wrote to memory of 3648	3552	EXka605mTeWhm55sj8YFdBKM.exe	RegAsm.exe
PID 3552 wrote to memory of 3648	3552	EXka605mTeWhm55sj8YFdBKM.exe	RegAsm.exe
PID 3552 wrote to memory of 1612	3552	EXka605mTeWhm55sj8YFdBKM.exe	RegAsm.exe
PID 3552 wrote to memory of 1612	3552	EXka605mTeWhm55sj8YFdBKM.exe	RegAsm.exe
PID 3552 wrote to memory of 1612	3552	EXka605mTeWhm55sj8YFdBKM.exe	RegAsm.exe
PID 3552 wrote to memory of 4992	3552	EXka605mTeWhm55sj8YFdBKM.exe	RegAsm.exe
PID 3552 wrote to memory of 4992	3552	EXka605mTeWhm55sj8YFdBKM.exe	RegAsm.exe
PID 3552 wrote to memory of 4992	3552	EXka605mTeWhm55sj8YFdBKM.exe	RegAsm.exe
PID 3552 wrote to memory of 4992	3552	EXka605mTeWhm55sj8YFdBKM.exe	RegAsm.exe
PID 3552 wrote to memory of 4992	3552	EXka605mTeWhm55sj8YFdBKM.exe	RegAsm.exe
PID 3552 wrote to memory of 4992	3552	EXka605mTeWhm55sj8YFdBKM.exe	RegAsm.exe
PID 3552 wrote to memory of 4992	3552	EXka605mTeWhm55sj8YFdBKM.exe	RegAsm.exe
PID 3552 wrote to memory of 4992	3552	EXka605mTeWhm55sj8YFdBKM.exe	RegAsm.exe
PID 3552 wrote to memory of 4992	3552	EXka605mTeWhm55sj8YFdBKM.exe	RegAsm.exe
PID 3552 wrote to memory of 4992	3552	EXka605mTeWhm55sj8YFdBKM.exe	RegAsm.exe
PID 3552 wrote to memory of 4992	3552	EXka605mTeWhm55sj8YFdBKM.exe	RegAsm.exe
PID 3552 wrote to memory of 4992	3552	EXka605mTeWhm55sj8YFdBKM.exe	RegAsm.exe
PID 1736 wrote to memory of 2960	1736	rundll32.exe	RunDll32.exe
PID 1736 wrote to memory of 2960	1736	rundll32.exe	RunDll32.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

Processes:

jFs2AGKtO1oE9oaBJSb_xfmK.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	jFs2AGKtO1oE9oaBJSb_xfmK.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

Processes:

cqwh99pDl8DJKLTFsK7r3dKV.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cqwh99pDl8DJKLTFsK7r3dKV.exe

outlook_win_path 1 IoCs

Processes:

cqwh99pDl8DJKLTFsK7r3dKV.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	cqwh99pDl8DJKLTFsK7r3dKV.exe

C:\Users\Admin\AppData\Local\Temp\2WikyfhIg3qcjejHn3mPOq9j.exe
"C:\Users\Admin\AppData\Local\Temp\2WikyfhIg3qcjejHn3mPOq9j.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Users\Admin\Documents\GuardFox\uZEwWsj41x_YXbINNO3T1Dor.exe
  "C:\Users\Admin\Documents\GuardFox\uZEwWsj41x_YXbINNO3T1Dor.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3144
- C:\Users\Admin\Documents\GuardFox\e5W2c6C_Ffjf6gm9xlreVkWg.exe
  "C:\Users\Admin\Documents\GuardFox\e5W2c6C_Ffjf6gm9xlreVkWg.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\AuUSoG.cPl",
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1376
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\AuUSoG.cPl",
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1736
    - - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\AuUSoG.cPl",
        5⤵
        
        PID:2960
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\AuUSoG.cPl",
        6⤵
        Loads dropped DLL
        
        PID:4828
- C:\Users\Admin\Documents\GuardFox\jFs2AGKtO1oE9oaBJSb_xfmK.exe
  "C:\Users\Admin\Documents\GuardFox\jFs2AGKtO1oE9oaBJSb_xfmK.exe"
  2⤵
  - UAC bypass
  - Windows security bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Windows security modification
  - Checks whether UAC is enabled
  - System policy modification
  PID:3140
- - C:\Windows\SysWOW64\calc.exe
    "C:\Windows\SYSWOW64\calc.exe"
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\GuardFox\jFs2AGKtO1oE9oaBJSb_xfmK.exe" -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3188
- C:\Users\Admin\Documents\GuardFox\cqwh99pDl8DJKLTFsK7r3dKV.exe
  "C:\Users\Admin\Documents\GuardFox\cqwh99pDl8DJKLTFsK7r3dKV.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Adds Run key to start application
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - outlook_office_path
  - outlook_win_path
  PID:3456
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV2\MSIUpdaterV2.exe" /tn "MSIUpdaterV2 HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2344
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV2\MSIUpdaterV2.exe" /tn "MSIUpdaterV2 LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:952
- - C:\Users\Admin\AppData\Local\Temp\heidipEQmP7PGB6Nd\fVCjIlatPIFbu9GHhTIX.exe
    "C:\Users\Admin\AppData\Local\Temp\heidipEQmP7PGB6Nd\fVCjIlatPIFbu9GHhTIX.exe"
    3⤵
    - Executes dropped EXE
    PID:4756
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
      4⤵
      Creates scheduled task(s)
      PID:3704
- C:\Users\Admin\Documents\GuardFox\WmcAeyPH9OdJPuX7sT7d_UMh.exe
  "C:\Users\Admin\Documents\GuardFox\WmcAeyPH9OdJPuX7sT7d_UMh.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4176
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4544
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:964
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2392
- C:\Users\Admin\Documents\GuardFox\EXka605mTeWhm55sj8YFdBKM.exe
  "C:\Users\Admin\Documents\GuardFox\EXka605mTeWhm55sj8YFdBKM.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3552
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3648
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1612
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4992
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 544
      4⤵
      Program crash
      PID:3584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4992 -ip 4992
1⤵
PID:2128

C:\Users\Admin\AppData\Local\Temp\7625.exe
C:\Users\Admin\AppData\Local\Temp\7625.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1300
- C:\Users\Admin\AppData\Local\Temp\7625.exe
  C:\Users\Admin\AppData\Local\Temp\7625.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4484
- - C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
    "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:2708
  - - C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
      "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:1612
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:3716
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:2904
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:2884
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:3532
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:4656
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:64
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\cred64.dll, Main
        6⤵
        Loads dropped DLL
        
        PID:404
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:1852
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:1176
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\2eed656dd58e95\clip64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:2708

C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:744
- C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
  C:\Users\Admin\AppData\Local\Temp\68fd3d7ade\Utsysc.exe
  2⤵
  - Executes dropped EXE
  PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery