amadey | b84760ded0544c86d23849130082b99c3000b1e4ca5da0690fcdfbf2771b7993

Virtualization/Sandbox Evasion

Processes:

u8frcVVDI6sXvEJHPjLj.exeexplorha.exePbdS7oLPWBmLc719hHgb.exe2d3afcbba3.exeamert.exeexplorha.exeexplorgu.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	u8frcVVDI6sXvEJHPjLj.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	PbdS7oLPWBmLc719hHgb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2d3afcbba3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

185 4476 rundll32.exe
169 5376 rundll32.exe
Downloads MZ/PE file

flow	pid	process
185	4476	rundll32.exe
169	5376	rundll32.exe

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

2d3afcbba3.exeamert.exeexplorha.exeexplorha.exePbdS7oLPWBmLc719hHgb.exeexplorgu.exeu8frcVVDI6sXvEJHPjLj.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2d3afcbba3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	PbdS7oLPWBmLc719hHgb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	u8frcVVDI6sXvEJHPjLj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	u8frcVVDI6sXvEJHPjLj.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	PbdS7oLPWBmLc719hHgb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2d3afcbba3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

conan.exeu8frcVVDI6sXvEJHPjLj.exeexplorha.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	conan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	u8frcVVDI6sXvEJHPjLj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	explorha.exe

Drops startup file 1 IoCs

Processes:

conan.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS131.lnk conan.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS131.lnk	conan.exe

Executes dropped EXE 9 IoCs

Processes:

u8frcVVDI6sXvEJHPjLj.exeo4crizxIYyBXjlrNHB8A.exeexplorha.exePbdS7oLPWBmLc719hHgb.exe2d3afcbba3.exego.exeamert.exeexplorha.exeexplorgu.exe

pid	process
4224	u8frcVVDI6sXvEJHPjLj.exe
2244	o4crizxIYyBXjlrNHB8A.exe
4456	explorha.exe
32	PbdS7oLPWBmLc719hHgb.exe
2244	2d3afcbba3.exe
4440	go.exe
2020	amert.exe
5228	explorha.exe
5260	explorgu.exe

Identifies Wine through registry keys 2 TTPs 5 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

u8frcVVDI6sXvEJHPjLj.exeexplorha.exeamert.exeexplorha.exeexplorgu.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	u8frcVVDI6sXvEJHPjLj.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	amert.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Wine	explorgu.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

760 rundll32.exe
4476 rundll32.exe
5376 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
760	rundll32.exe
4476	rundll32.exe
5376	rundll32.exe

Themida packer 21 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\heidi_43104FVULoT\PbdS7oLPWBmLc719hHgb.exe	themida
behavioral2/memory/32-207-0x0000000000370000-0x0000000000B0E000-memory.dmp	themida
behavioral2/memory/32-208-0x0000000000370000-0x0000000000B0E000-memory.dmp	themida
behavioral2/memory/32-209-0x0000000000370000-0x0000000000B0E000-memory.dmp	themida
behavioral2/memory/32-218-0x0000000000370000-0x0000000000B0E000-memory.dmp	themida
behavioral2/memory/32-219-0x0000000000370000-0x0000000000B0E000-memory.dmp	themida
behavioral2/memory/32-220-0x0000000000370000-0x0000000000B0E000-memory.dmp	themida
behavioral2/memory/32-221-0x0000000000370000-0x0000000000B0E000-memory.dmp	themida
behavioral2/memory/32-222-0x0000000000370000-0x0000000000B0E000-memory.dmp	themida
behavioral2/memory/32-224-0x0000000000370000-0x0000000000B0E000-memory.dmp	themida
behavioral2/memory/2244-234-0x00000000000F0000-0x000000000088E000-memory.dmp	themida
behavioral2/memory/2244-235-0x00000000000F0000-0x000000000088E000-memory.dmp	themida
behavioral2/memory/2244-236-0x00000000000F0000-0x000000000088E000-memory.dmp	themida
behavioral2/memory/2244-237-0x00000000000F0000-0x000000000088E000-memory.dmp	themida
behavioral2/memory/2244-238-0x00000000000F0000-0x000000000088E000-memory.dmp	themida
behavioral2/memory/2244-239-0x00000000000F0000-0x000000000088E000-memory.dmp	themida
behavioral2/memory/2244-240-0x00000000000F0000-0x000000000088E000-memory.dmp	themida
behavioral2/memory/2244-241-0x00000000000F0000-0x000000000088E000-memory.dmp	themida
behavioral2/memory/2244-242-0x00000000000F0000-0x000000000088E000-memory.dmp	themida
behavioral2/memory/32-250-0x0000000000370000-0x0000000000B0E000-memory.dmp	themida
behavioral2/memory/2244-283-0x00000000000F0000-0x000000000088E000-memory.dmp	themida

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

conan.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	conan.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	conan.exe
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	conan.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

conan.exeexplorha.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131 = "C:\\Users\\Admin\\AppData\\Local\\RageMP131\\RageMP131.exe"	conan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV131_708f86c7449baa8ed309c374f21ce511 = "C:\\Users\\Admin\\AppData\\Local\\AdobeUpdaterV131_708f86c7449baa8ed309c374f21ce511\\AdobeUpdaterV131.exe"	conan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV131_d5c0b6b49b90787cd18a3dc2db430415 = "C:\\Users\\Admin\\AppData\\Local\\AdobeUpdaterV131_d5c0b6b49b90787cd18a3dc2db430415\\AdobeUpdaterV131.exe"	conan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV131_346889e96494e8fd7895d6ab35be317c = "C:\\Users\\Admin\\AppData\\Local\\AdobeUpdaterV131_346889e96494e8fd7895d6ab35be317c\\AdobeUpdaterV131.exe"	conan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\go.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000044001\\go.exe"	explorha.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

Processes:

PbdS7oLPWBmLc719hHgb.exe2d3afcbba3.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PbdS7oLPWBmLc719hHgb.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2d3afcbba3.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

45 ipinfo.io
46 ipinfo.io

flow	ioc
45	ipinfo.io
46	ipinfo.io

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\heidi_43104FVULoT\o4crizxIYyBXjlrNHB8A.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

u8frcVVDI6sXvEJHPjLj.exeexplorha.exeamert.exeexplorgu.exeexplorha.exe

pid process

4224 u8frcVVDI6sXvEJHPjLj.exe
4456 explorha.exe
2020 amert.exe
5260 explorgu.exe
5228 explorha.exe
Drops file in Windows directory 2 IoCs

Processes:

amert.exeu8frcVVDI6sXvEJHPjLj.exe

description ioc process

File created C:\Windows\Tasks\explorgu.job amert.exe
File created C:\Windows\Tasks\explorha.job u8frcVVDI6sXvEJHPjLj.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3580 460 WerFault.exe conan.exe

description	ioc	process
File created	C:\Windows\Tasks\explorgu.job	amert.exe
File created	C:\Windows\Tasks\explorha.job	u8frcVVDI6sXvEJHPjLj.exe

pid	pid_target	process	target process
3580	460	WerFault.exe	conan.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

conan.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	conan.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	conan.exe

Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4896 schtasks.exe
1236 schtasks.exe
3344 schtasks.exe
2488 schtasks.exe
2472 schtasks.exe
5096 schtasks.exe
956 schtasks.exe
1008 schtasks.exe

pid	process
4896	schtasks.exe
1236	schtasks.exe
3344	schtasks.exe
2488	schtasks.exe
2472	schtasks.exe
5096	schtasks.exe
956	schtasks.exe
1008	schtasks.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{A78E9027-BBE1-42B7-BD4A-674EE82DB382}	msedge.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

conan.exeu8frcVVDI6sXvEJHPjLj.exeexplorha.exerundll32.exepowershell.exeamert.exeexplorgu.exeexplorha.exe

pid	process
460	conan.exe
460	conan.exe
460	conan.exe
460	conan.exe
460	conan.exe
460	conan.exe
460	conan.exe
460	conan.exe
460	conan.exe
460	conan.exe
460	conan.exe
460	conan.exe
460	conan.exe
460	conan.exe
4224	u8frcVVDI6sXvEJHPjLj.exe
4224	u8frcVVDI6sXvEJHPjLj.exe
4456	explorha.exe
4456	explorha.exe
4476	rundll32.exe
4476	rundll32.exe
4476	rundll32.exe
4476	rundll32.exe
4476	rundll32.exe
4476	rundll32.exe
4476	rundll32.exe
4476	rundll32.exe
4476	rundll32.exe
4476	rundll32.exe
412	powershell.exe
412	powershell.exe
412	powershell.exe
2020	amert.exe
2020	amert.exe
5260	explorgu.exe
5260	explorgu.exe
5228	explorha.exe
5228	explorha.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 412 powershell.exe

description	pid	process
Token: SeDebugPrivilege	412	powershell.exe

Suspicious use of FindShellTrayWindow 13 IoCs

Processes:

o4crizxIYyBXjlrNHB8A.exeu8frcVVDI6sXvEJHPjLj.exego.exe

pid	process
2244	o4crizxIYyBXjlrNHB8A.exe
2244	o4crizxIYyBXjlrNHB8A.exe
2244	o4crizxIYyBXjlrNHB8A.exe
2244	o4crizxIYyBXjlrNHB8A.exe
4224	u8frcVVDI6sXvEJHPjLj.exe
2244	o4crizxIYyBXjlrNHB8A.exe
2244	o4crizxIYyBXjlrNHB8A.exe
2244	o4crizxIYyBXjlrNHB8A.exe
2244	o4crizxIYyBXjlrNHB8A.exe
4440	go.exe
4440	go.exe
4440	go.exe
4440	go.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

o4crizxIYyBXjlrNHB8A.exego.exe

pid	process
2244	o4crizxIYyBXjlrNHB8A.exe
2244	o4crizxIYyBXjlrNHB8A.exe
2244	o4crizxIYyBXjlrNHB8A.exe
2244	o4crizxIYyBXjlrNHB8A.exe
2244	o4crizxIYyBXjlrNHB8A.exe
2244	o4crizxIYyBXjlrNHB8A.exe
2244	o4crizxIYyBXjlrNHB8A.exe
2244	o4crizxIYyBXjlrNHB8A.exe
4440	go.exe
4440	go.exe
4440	go.exe
4440	go.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

conan.exeo4crizxIYyBXjlrNHB8A.exeu8frcVVDI6sXvEJHPjLj.exeexplorha.exerundll32.exerundll32.exego.exe

description	pid	process	target process
PID 460 wrote to memory of 1236	460	conan.exe	schtasks.exe
PID 460 wrote to memory of 1236	460	conan.exe	schtasks.exe
PID 460 wrote to memory of 1236	460	conan.exe	schtasks.exe
PID 460 wrote to memory of 3344	460	conan.exe	schtasks.exe
PID 460 wrote to memory of 3344	460	conan.exe	schtasks.exe
PID 460 wrote to memory of 3344	460	conan.exe	schtasks.exe
PID 460 wrote to memory of 2488	460	conan.exe	schtasks.exe
PID 460 wrote to memory of 2488	460	conan.exe	schtasks.exe
PID 460 wrote to memory of 2488	460	conan.exe	schtasks.exe
PID 460 wrote to memory of 2472	460	conan.exe	schtasks.exe
PID 460 wrote to memory of 2472	460	conan.exe	schtasks.exe
PID 460 wrote to memory of 2472	460	conan.exe	schtasks.exe
PID 460 wrote to memory of 4224	460	conan.exe	u8frcVVDI6sXvEJHPjLj.exe
PID 460 wrote to memory of 4224	460	conan.exe	u8frcVVDI6sXvEJHPjLj.exe
PID 460 wrote to memory of 4224	460	conan.exe	u8frcVVDI6sXvEJHPjLj.exe
PID 460 wrote to memory of 5096	460	conan.exe	schtasks.exe
PID 460 wrote to memory of 5096	460	conan.exe	schtasks.exe
PID 460 wrote to memory of 5096	460	conan.exe	schtasks.exe
PID 460 wrote to memory of 956	460	conan.exe	schtasks.exe
PID 460 wrote to memory of 956	460	conan.exe	schtasks.exe
PID 460 wrote to memory of 956	460	conan.exe	schtasks.exe
PID 460 wrote to memory of 2244	460	conan.exe	2d3afcbba3.exe
PID 460 wrote to memory of 2244	460	conan.exe	2d3afcbba3.exe
PID 460 wrote to memory of 2244	460	conan.exe	2d3afcbba3.exe
PID 2244 wrote to memory of 2188	2244	o4crizxIYyBXjlrNHB8A.exe	msedge.exe
PID 2244 wrote to memory of 2188	2244	o4crizxIYyBXjlrNHB8A.exe	msedge.exe
PID 4224 wrote to memory of 4456	4224	u8frcVVDI6sXvEJHPjLj.exe	explorha.exe
PID 4224 wrote to memory of 4456	4224	u8frcVVDI6sXvEJHPjLj.exe	explorha.exe
PID 4224 wrote to memory of 4456	4224	u8frcVVDI6sXvEJHPjLj.exe	explorha.exe
PID 2244 wrote to memory of 2588	2244	o4crizxIYyBXjlrNHB8A.exe	msedge.exe
PID 2244 wrote to memory of 2588	2244	o4crizxIYyBXjlrNHB8A.exe	msedge.exe
PID 2244 wrote to memory of 5116	2244	o4crizxIYyBXjlrNHB8A.exe	msedge.exe
PID 2244 wrote to memory of 5116	2244	o4crizxIYyBXjlrNHB8A.exe	msedge.exe
PID 460 wrote to memory of 1008	460	conan.exe	schtasks.exe
PID 460 wrote to memory of 1008	460	conan.exe	schtasks.exe
PID 460 wrote to memory of 1008	460	conan.exe	schtasks.exe
PID 460 wrote to memory of 4896	460	conan.exe	schtasks.exe
PID 460 wrote to memory of 4896	460	conan.exe	schtasks.exe
PID 460 wrote to memory of 4896	460	conan.exe	schtasks.exe
PID 460 wrote to memory of 32	460	conan.exe	PbdS7oLPWBmLc719hHgb.exe
PID 460 wrote to memory of 32	460	conan.exe	PbdS7oLPWBmLc719hHgb.exe
PID 460 wrote to memory of 32	460	conan.exe	PbdS7oLPWBmLc719hHgb.exe
PID 4456 wrote to memory of 2244	4456	explorha.exe	2d3afcbba3.exe
PID 4456 wrote to memory of 2244	4456	explorha.exe	2d3afcbba3.exe
PID 4456 wrote to memory of 2244	4456	explorha.exe	2d3afcbba3.exe
PID 4456 wrote to memory of 760	4456	explorha.exe	rundll32.exe
PID 4456 wrote to memory of 760	4456	explorha.exe	rundll32.exe
PID 4456 wrote to memory of 760	4456	explorha.exe	rundll32.exe
PID 760 wrote to memory of 4476	760	rundll32.exe	rundll32.exe
PID 760 wrote to memory of 4476	760	rundll32.exe	rundll32.exe
PID 4476 wrote to memory of 1984	4476	rundll32.exe	netsh.exe
PID 4476 wrote to memory of 1984	4476	rundll32.exe	netsh.exe
PID 4456 wrote to memory of 4104	4456	explorha.exe	explorha.exe
PID 4456 wrote to memory of 4104	4456	explorha.exe	explorha.exe
PID 4456 wrote to memory of 4104	4456	explorha.exe	explorha.exe
PID 4456 wrote to memory of 4440	4456	explorha.exe	go.exe
PID 4456 wrote to memory of 4440	4456	explorha.exe	go.exe
PID 4456 wrote to memory of 4440	4456	explorha.exe	go.exe
PID 4440 wrote to memory of 3276	4440	go.exe	msedge.exe
PID 4440 wrote to memory of 3276	4440	go.exe	msedge.exe
PID 4440 wrote to memory of 4248	4440	go.exe	msedge.exe
PID 4440 wrote to memory of 4248	4440	go.exe	msedge.exe
PID 4440 wrote to memory of 2368	4440	go.exe	msedge.exe
PID 4440 wrote to memory of 2368	4440	go.exe	msedge.exe

outlook_office_path 1 IoCs

Processes:

conan.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	conan.exe

outlook_win_path 1 IoCs

Processes:

conan.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	conan.exe

C:\Users\Admin\AppData\Local\Temp\conan.exe
"C:\Users\Admin\AppData\Local\Temp\conan.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:460

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:1236

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:3344

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_708f86c7449baa8ed309c374f21ce511\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_708f86c7449baa8ed309c374f21ce511 HR" /sc HOURLY /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:2488

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_708f86c7449baa8ed309c374f21ce511\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_708f86c7449baa8ed309c374f21ce511 LG" /sc ONLOGON /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:2472

C:\Users\Admin\AppData\Local\Temp\heidi_43104FVULoT\u8frcVVDI6sXvEJHPjLj.exe
"C:\Users\Admin\AppData\Local\Temp\heidi_43104FVULoT\u8frcVVDI6sXvEJHPjLj.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4224

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4456

C:\Users\Admin\AppData\Local\Temp\1000042001\2d3afcbba3.exe
"C:\Users\Admin\AppData\Local\Temp\1000042001\2d3afcbba3.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2244

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
5⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\system32\netsh.exe
netsh wlan show profiles
6⤵
PID:1984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\808065738166_Desktop.zip' -CompressionLevel Optimal
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:412

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
4⤵
PID:4104

C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe
"C:\Users\Admin\AppData\Local\Temp\1000044001\go.exe"
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
5⤵
PID:3276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
5⤵
PID:4248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
5⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe
"C:\Users\Admin\AppData\Local\Temp\1000046001\amert.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2020

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:5376

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_d5c0b6b49b90787cd18a3dc2db430415\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_d5c0b6b49b90787cd18a3dc2db430415 HR" /sc HOURLY /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:5096

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_d5c0b6b49b90787cd18a3dc2db430415\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_d5c0b6b49b90787cd18a3dc2db430415 LG" /sc ONLOGON /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:956

C:\Users\Admin\AppData\Local\Temp\heidi_43104FVULoT\o4crizxIYyBXjlrNHB8A.exe
"C:\Users\Admin\AppData\Local\Temp\heidi_43104FVULoT\o4crizxIYyBXjlrNHB8A.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
3⤵
PID:2188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video
3⤵
PID:2588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
3⤵
PID:5116

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_346889e96494e8fd7895d6ab35be317c\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_346889e96494e8fd7895d6ab35be317c HR" /sc HOURLY /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:1008

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_346889e96494e8fd7895d6ab35be317c\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_346889e96494e8fd7895d6ab35be317c LG" /sc ONLOGON /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:4896

C:\Users\Admin\AppData\Local\Temp\heidi_43104FVULoT\PbdS7oLPWBmLc719hHgb.exe
"C:\Users\Admin\AppData\Local\Temp\heidi_43104FVULoT\PbdS7oLPWBmLc719hHgb.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:32

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 2140
2⤵
- Program crash
PID:3580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3528 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:3
1⤵
PID:396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3484 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:3152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=4948 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:4904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=4104 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:1600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=4716 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:4048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5236 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:4040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=5876 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:2880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=5868 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6212 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:4584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=6444 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:4080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6476 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
- Modifies registry class
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 460 -ip 460
1⤵
PID:760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=3928 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:6088

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5228

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:5260

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery