e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe

Loads dropped DLL 6 IoCs

pid	Process
2880	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
5020	regsvr32.exe
4040	regsvr32.exe
556	regsvr32.exe
1560	regsvr32.exe
2936	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a00000002343c-1.dat	upx
behavioral2/memory/2880-4-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/5020-14-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/5020-16-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2880-20-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2880-142-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2880-141-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4040-156-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/556-157-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4040-153-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/556-159-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1560-164-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2936-166-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2936-165-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/1560-161-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2880-177-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/2880-2183-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe /onboot"	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\e:	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1"	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Modifies Internet Explorer settings 1 TTPs 22 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm"	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe"	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe"	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe"	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}"	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243"	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Low Rights	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3"	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe

Modifies registry class 16 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1"	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe"	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User"	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan"	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\WOW6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\WOW6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}\Model = "129"	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\WOW6432Node\CLSID\{07999AC3-058B-40BF-984F-69EB1E554CA7}\Therad = "1"	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter"	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2880	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
2880	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
2880	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
2880	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
2880	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
2880	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
2880	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
2880	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Token: SeRestorePrivilege	2880	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
Token: SeDebugPrivilege	5020	regsvr32.exe
Token: SeDebugPrivilege	2596	firefox.exe
Token: SeDebugPrivilege	2596	firefox.exe
Token: SeDebugPrivilege	4040	regsvr32.exe
Token: SeDebugPrivilege	556	regsvr32.exe
Token: SeDebugPrivilege	1560	regsvr32.exe
Token: SeDebugPrivilege	2936	regsvr32.exe
Token: SeDebugPrivilege	2596	firefox.exe
Token: SeDebugPrivilege	2596	firefox.exe
Token: SeDebugPrivilege	2596	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2596	firefox.exe
2596	firefox.exe
2596	firefox.exe
2596	firefox.exe
2880	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2596	firefox.exe
2596	firefox.exe
2596	firefox.exe
2880	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2880	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
2880	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
2880	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
2596	firefox.exe
2880	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
2880	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
2880	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
2880	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
2880	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
2880	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
2880	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
2880	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 5020	2880	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe	88
PID 2880 wrote to memory of 5020	2880	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe	88
PID 2880 wrote to memory of 5020	2880	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe	88
PID 2880 wrote to memory of 5044	2880	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe	89
PID 2880 wrote to memory of 5044	2880	e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe	89
PID 5044 wrote to memory of 2596	5044	firefox.exe	90
PID 5044 wrote to memory of 2596	5044	firefox.exe	90
PID 5044 wrote to memory of 2596	5044	firefox.exe	90
PID 5044 wrote to memory of 2596	5044	firefox.exe	90
PID 5044 wrote to memory of 2596	5044	firefox.exe	90
PID 5044 wrote to memory of 2596	5044	firefox.exe	90
PID 5044 wrote to memory of 2596	5044	firefox.exe	90
PID 5044 wrote to memory of 2596	5044	firefox.exe	90
PID 5044 wrote to memory of 2596	5044	firefox.exe	90
PID 5044 wrote to memory of 2596	5044	firefox.exe	90
PID 5044 wrote to memory of 2596	5044	firefox.exe	90
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 4676	2596	firefox.exe	91
PID 2596 wrote to memory of 2788	2596	firefox.exe	92
PID 2596 wrote to memory of 2788	2596	firefox.exe	92
PID 2596 wrote to memory of 2788	2596	firefox.exe	92
PID 2596 wrote to memory of 2788	2596	firefox.exe	92
PID 2596 wrote to memory of 2788	2596	firefox.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe
"C:\Users\Admin\AppData\Local\Temp\e85ddc9a9967c7f9520697cf989bbe8bb1ac50fa0f2392673cd72db000a9629c.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:5020
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2596.0.1488670628\334744695" -parentBuildID 20230214051806 -prefsHandle 1804 -prefMapHandle 1796 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad92abf7-e470-45bc-a615-20c5c25166bf} 2596 "\\.\pipe\gecko-crash-server-pipe.2596" 1884 1e95140dd58 gpu
      4⤵
      PID:4676
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2596.1.337350447\677887644" -parentBuildID 20230214051806 -prefsHandle 2448 -prefMapHandle 2436 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f99e59a3-4745-4460-a58b-fbd9a874ae36} 2596 "\\.\pipe\gecko-crash-server-pipe.2596" 2476 1e93cf86258 socket
      4⤵
      PID:2788
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2596.2.1512419337\1380124467" -childID 1 -isForBrowser -prefsHandle 3012 -prefMapHandle 3008 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c1f1a73-a57a-4189-8880-ac5f9c60e306} 2596 "\\.\pipe\gecko-crash-server-pipe.2596" 3024 1e954143258 tab
      4⤵
      PID:1616
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2596.3.57623100\1943372442" -childID 2 -isForBrowser -prefsHandle 4008 -prefMapHandle 4004 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a70fff3a-3a7f-4b18-87a8-ad2a07b49711} 2596 "\\.\pipe\gecko-crash-server-pipe.2596" 3572 1e955f2a658 tab
      4⤵
      PID:1960
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2596.4.533552661\1606257603" -childID 3 -isForBrowser -prefsHandle 5092 -prefMapHandle 4544 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4876aa50-5c1a-4fe7-a6e3-dd1397128238} 2596 "\\.\pipe\gecko-crash-server-pipe.2596" 5036 1e957ef7458 tab
      4⤵
      PID:4500
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2596.5.2135228572\631739071" -childID 4 -isForBrowser -prefsHandle 5256 -prefMapHandle 5264 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf4f9858-4d33-42ef-9b28-e6ab72ec1f1a} 2596 "\\.\pipe\gecko-crash-server-pipe.2596" 5208 1e957ef7a58 tab
      4⤵
      PID:4144
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2596.6.1879631218\670228643" -childID 5 -isForBrowser -prefsHandle 5516 -prefMapHandle 5512 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c63ee031-294f-4740-a7c0-66e037b63207} 2596 "\\.\pipe\gecko-crash-server-pipe.2596" 5528 1e957ef9558 tab
      4⤵
      PID:4200
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2596.7.270870219\1100306147" -childID 6 -isForBrowser -prefsHandle 3284 -prefMapHandle 4544 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37857a19-6df6-4e88-8e62-e220838d9858} 2596 "\\.\pipe\gecko-crash-server-pipe.2596" 5216 1e953b55c58 tab
      4⤵
      PID:4408
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:4040
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:556
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery