9a5139eeb50a93ae805809b587df06f59aed80002fa74a17ff427320fbd2f2e3

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cd2281116d8ca61ab7cb1e301b5b580e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\PrinterSecurityLayer = "C:\\Windows\\LSPRN.EXE"	cd2281116d8ca61ab7cb1e301b5b580e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	LSPRN.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\PrinterSecurityLayer = "C:\\Windows\\LSPRN.EXE"	LSPRN.EXE

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	LSPRN.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "0"	LSPRN.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	cd2281116d8ca61ab7cb1e301b5b580e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "0"	cd2281116d8ca61ab7cb1e301b5b580e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	cd2281116d8ca61ab7cb1e301b5b580e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "0"	cd2281116d8ca61ab7cb1e301b5b580e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	LSPRN.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "0"	LSPRN.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	cd2281116d8ca61ab7cb1e301b5b580e.exe

Executes dropped EXE 1 IoCs

pid	Process
2324	LSPRN.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	cd2281116d8ca61ab7cb1e301b5b580e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer Driver = "C:\\Windows\\system32\\PRINTDRV.EXE"	LSPRN.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\LSPRN.EXE	cd2281116d8ca61ab7cb1e301b5b580e.exe
File opened for modification	C:\Windows\LSPRN.EXE	cd2281116d8ca61ab7cb1e301b5b580e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck = "1"	cd2281116d8ca61ab7cb1e301b5b580e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\	cd2281116d8ca61ab7cb1e301b5b580e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0"	cd2281116d8ca61ab7cb1e301b5b580e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck = "1"	LSPRN.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\	LSPRN.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0"	LSPRN.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 2324	1016	cd2281116d8ca61ab7cb1e301b5b580e.exe	90
PID 1016 wrote to memory of 2324	1016	cd2281116d8ca61ab7cb1e301b5b580e.exe	90
PID 1016 wrote to memory of 2324	1016	cd2281116d8ca61ab7cb1e301b5b580e.exe	90

C:\Users\Admin\AppData\Local\Temp\cd2281116d8ca61ab7cb1e301b5b580e.exe
"C:\Users\Admin\AppData\Local\Temp\cd2281116d8ca61ab7cb1e301b5b580e.exe"
1⤵
- Adds policy Run key to start application
- Sets file execution options in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Windows\LSPRN.EXE
  "C:\Windows\LSPRN.EXE"
  2⤵
  - Adds policy Run key to start application
  - Sets file execution options in registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

4