f28650e1d85b3ee7b514bf8213ff5087eff05488db2c4bf841a17e8f61d202bf

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WScript.exe

Disables cmd.exe use via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	WScript.exe

Sets file execution options in registry 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "Notepad.exe"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "Notepad.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TaskMgr.exe\Debugger = "Notepad.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "Notepad.exe"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger = "Notepad.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\Debugger = "Notepad.exe"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "Notepad.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe\Debugger = "Notepad.exe"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TaskMgr.exe	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tartule = "C:\\Users\\Admin\\Favorites\\Tartule.lnk"	WScript.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\AutoRun.inf	WScript.exe
File created	F:\AutoRun.inf	WScript.exe
File opened for modification	F:\AutoRun.inf	WScript.exe
File created	C:\AutoRun.inf	WScript.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Girls.vbs	WScript.exe
File opened for modification	C:\Program Files\Common Files\DESIGNER\Girls.vbs	WScript.exe
File created	C:\Program Files\Java\Money.vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2019.807.41.0_neutral_~_8wekyb3d8bbwe\Girls.vbs	WScript.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Girls.vbs	WScript.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Girls.vbs	WScript.exe
File created	C:\Program Files\Microsoft Office\Office16\Girls.vbs	WScript.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\Girls.vbs	WScript.exe
File created	C:\Program Files (x86)\Readme.vbs	WScript.exe
File opened for modification	C:\Program Files\Windows Portable Devices\Money.vbs	WScript.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Girls.vbs	WScript.exe
File created	C:\Program Files\Common Files\Services\Girls.vbs	WScript.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Girls.vbs	WScript.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Girls.vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Girls.vbs	WScript.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\Girls.vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Girls.vbs	WScript.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\Girls.vbs	WScript.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Girls.vbs	WScript.exe
File created	C:\Program Files\Windows Defender\de-DE\Girls.vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Girls.vbs	WScript.exe
File opened for modification	C:\Program Files\Windows Media Player\Visualizations\Girls.vbs	WScript.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\Money.vbs	WScript.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color48.vbs	WScript.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Girls.vbs	WScript.exe
File created	C:\Program Files (x86)\Windows Defender\uk-UA\Girls.vbs	WScript.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\Girls.vbs	WScript.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\Girls.vbs	WScript.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\Girls.vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\Girls.vbs	WScript.exe
File created	C:\Program Files (x86)\Common Files\Java\Girls.vbs	WScript.exe
File opened for modification	C:\Program Files\SwitchResume.vbs	WScript.exe
File created	C:\Program Files\7-Zip\Lang\Girls.vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_~_8wekyb3d8bbwe\Girls.vbs	WScript.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_120.vbs	WScript.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Girls.vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Girls.vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_neutral_~_8wekyb3d8bbwe\Girls.vbs	WScript.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\Girls.vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Girls.vbs	WScript.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\verisign.vbs	WScript.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\Girls.vbs	WScript.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\Girls.vbs	WScript.exe
File created	C:\Program Files\Windows Media Player\ja-JP\Girls.vbs	WScript.exe
File created	C:\Program Files\Windows Sidebar\Money.vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Girls.vbs	WScript.exe
File created	C:\Program Files\Common Files\DESIGNER\Girls.vbs	WScript.exe
File created	C:\Program Files\Internet Explorer\it-IT\Girls.vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\Girls.vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Girls.vbs	WScript.exe
File created	C:\Program Files (x86)\Common Files\System\Girls.vbs	WScript.exe
File created	C:\Program Files (x86)\Google\CrashReports\Girls.vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Girls.vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Girls.vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\Girls.vbs	WScript.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\uk-UA\Girls.vbs	WScript.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\Girls.vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\Girls.vbs	WScript.exe
File created	C:\Program Files (x86)\Google\Temp\Girls.vbs	WScript.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\Girls.vbs	WScript.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Girls.vbs	WScript.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\Girls.vbs	WScript.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_48.vbs	WScript.exe
File created	C:\Program Files\Microsoft Office\root\Girls.vbs	WScript.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Readme.vbs	WScript.exe
File opened for modification	C:\Windows\Readme.vbs	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\wordicon.exe,1"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "logoff.exe"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ = "Microsoft Word 97 - 2003 Document"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "logoff.exe"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\DefaultIcon	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\NeverShowExt	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\FriendlyTypeName = "Microsoft Word 97 - 2003 Document"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "logoff.exe"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile	WScript.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

pid	Process
4376	reg.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2984	WINWORD.EXE
2984	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2984	WINWORD.EXE
2984	WINWORD.EXE
2984	WINWORD.EXE
2984	WINWORD.EXE
2984	WINWORD.EXE
2984	WINWORD.EXE
2984	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 2984	3480	WScript.exe	90
PID 3480 wrote to memory of 2984	3480	WScript.exe	90
PID 3480 wrote to memory of 4376	3480	WScript.exe	91
PID 3480 wrote to memory of 4376	3480	WScript.exe	91

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	WScript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5475002d7df4177a826a1d378523662.vbs"
1⤵
- Modifies visibility of file extensions in Explorer
- Disables cmd.exe use via registry modification
- Sets file execution options in registry
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3480
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "%1" /o "%u" ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2984
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /va /f
  2⤵
  - Modifies registry key
  PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery