badrabbit | 92d59f918083649917c9e4d5cc01ac75f7527dd55e5adbb4dcea3f72e5d11daa

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DB.EXE

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\	[email protected]

Executes dropped EXE 6 IoCs

pid	Process
3860	FA8E.tmp
1472	AV.EXE
396	AV2.EXE
3452	DB.EXE
5140	EN.EXE
5204	SB.EXE

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001b07b-2642.dat	upx
behavioral1/memory/3452-2645-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/5140-2660-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000700000001b07c-2658.dat	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DB.EXE

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

persistence privilege_escalation

description	ioc	Process
File opened (read-only)	\??\j:	[email protected]
File opened (read-only)	\??\m:	[email protected]
File opened (read-only)	\??\t:	[email protected]
File opened (read-only)	\??\u:	[email protected]
File opened (read-only)	\??\y:	[email protected]
File opened (read-only)	\??\a:	[email protected]
File opened (read-only)	\??\b:	[email protected]
File opened (read-only)	\??\k:	[email protected]
File opened (read-only)	\??\l:	[email protected]
File opened (read-only)	\??\r:	[email protected]
File opened (read-only)	\??\q:	[email protected]
File opened (read-only)	\??\w:	[email protected]
File opened (read-only)	\??\o:	[email protected]
File opened (read-only)	\??\p:	[email protected]
File opened (read-only)	\??\s:	[email protected]
File opened (read-only)	\??\e:	[email protected]
File opened (read-only)	\??\g:	[email protected]
File opened (read-only)	\??\h:	[email protected]
File opened (read-only)	\??\i:	[email protected]
File opened (read-only)	\??\n:	[email protected]
File opened (read-only)	\??\v:	[email protected]
File opened (read-only)	\??\x:	[email protected]
File opened (read-only)	\??\z:	[email protected]

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

flow	ioc
208	raw.githubusercontent.com
210	raw.githubusercontent.com
209	raw.githubusercontent.com
199	camo.githubusercontent.com
205	camo.githubusercontent.com
206	camo.githubusercontent.com
211	raw.githubusercontent.com
212	raw.githubusercontent.com
226	camo.githubusercontent.com
200	camo.githubusercontent.com
201	camo.githubusercontent.com
202	camo.githubusercontent.com
203	camo.githubusercontent.com
204	camo.githubusercontent.com
207	camo.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\physicaldrive0	SB.EXE

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\desktop	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat!	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	[email protected]
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird	[email protected]

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp48D8.bmp"	[email protected]

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\program files (x86)\microsoft\office	[email protected]
File opened for modification	\??\c:\program files (x86)\powerpoint	[email protected]
File opened for modification	\??\c:\program files (x86)\the bat!	[email protected]
File opened for modification	\??\c:\program files (x86)\excel	[email protected]
File opened for modification	\??\c:\program files (x86)\microsoft\onenote	[email protected]
File opened for modification	\??\c:\program files (x86)\microsoft\outlook	[email protected]
File opened for modification	\??\c:\program files (x86)\office	[email protected]
File opened for modification	\??\c:\program files (x86)\steam	[email protected]
File opened for modification	\??\c:\program files (x86)\bitcoin	[email protected]
File opened for modification	\??\c:\program files (x86)\	[email protected]
File opened for modification	\??\c:\program files (x86)\microsoft\excel	[email protected]
File opened for modification	\??\c:\program files (x86)\microsoft\powerpoint	[email protected]
File opened for modification	\??\c:\program files (x86)\microsoft\word	[email protected]
File opened for modification	\??\c:\program files (x86)\thunderbird	[email protected]
File opened for modification	\??\c:\program files\	[email protected]
File opened for modification	\??\c:\program files (x86)\onenote	[email protected]
File opened for modification	\??\c:\program files (x86)\outlook	[email protected]
File opened for modification	\??\c:\program files (x86)\word	[email protected]
File opened for modification	\??\c:\program files (x86)\microsoft sql server	[email protected]

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\steam	[email protected]
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat!	[email protected]
File opened for modification	C:\Windows\FA8E.tmp	rundll32.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\the bat!	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird	[email protected]
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\steam	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\word	[email protected]
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	\??\c:\windows\	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\word	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint	[email protected]
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\documents	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat!	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\documents	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\word	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote	[email protected]
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word	[email protected]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2880	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	[email protected]

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30530A0C86EDB1CD5A2A5FE37EF3BF28E69BE16D	AV.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30530A0C86EDB1CD5A2A5FE37EF3BF28E69BE16D\Blob = 03000000010000001400000030530a0c86edb1cd5a2a5fe37ef3bf28e69be16d2000000001000000b3020000308202af308202180209009168978ee53f5964300d06092a864886f70d010105050030819b310b30090603550406130255533110300e06035504081307566972676e69613110300e060355040713074e65776275727931123010060355040a13094261636f72204c4c43312330210603550403131a746f74616c736f6c7574696f6e616e746976697275732e636f6d312f302d06092a864886f70d010901162061646d696e40746f74616c736f6c7574696f6e616e746976697275732e636f6d301e170d3131303931383131313834395a170d3132303931373131313834395a30819b310b30090603550406130255533110300e06035504081307566972676e69613110300e060355040713074e65776275727931123010060355040a13094261636f72204c4c43312330210603550403131a746f74616c736f6c7574696f6e616e746976697275732e636f6d312f302d06092a864886f70d010901162061646d696e40746f74616c736f6c7574696f6e616e746976697275732e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100cac8419346518527133fdefd7982ac3919f1d6e2f815ecab0b5d219ccf843885645cfd9c35cae2eff8e7506e690b52c587a59c8d667cb671454030bd370fa334b18afb5ea4f4f819a36685a705a8543f320af913ca680a1d32a402db6d3e42d93228e44ba230fda524d490ddc35b922f23d36d95417136ac50afa567e21359350203010001300d06092a864886f70d0101050500038181003c6a7f43ca2cee1caafee88b04777032a4c9d7794222537e3ebe57953198281bdbe0d3a58f7d3eb358f361848f30ad88a364cd0ae3376e6239dedb01497d52d3dd55e78e49375373419ad7e5e2e036f713bf4d96a552f2aa26b35b66d7a83fb2a9b6e317d162d8342f09ccc71b2a1c7d9474ca7872bfa4acd623d61c4491d740	AV.EXE

NTFS ADS 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Krotten.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\BadRabbit.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Cerber 5.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Winlocker.VB6.Blacksod.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Ana.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Illerka.C.zip:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2248	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4844	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4844	schtasks.exe
2864	schtasks.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
1400	rundll32.exe
1400	rundll32.exe
1400	rundll32.exe
1400	rundll32.exe
3860	FA8E.tmp
3860	FA8E.tmp
3860	FA8E.tmp
3860	FA8E.tmp
3860	FA8E.tmp
3860	FA8E.tmp
3860	FA8E.tmp
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
4620	rundll32.exe
4620	rundll32.exe
2300	rundll32.exe
2300	rundll32.exe
2288	rundll32.exe
2288	rundll32.exe
3452	DB.EXE
3452	DB.EXE
3452	DB.EXE
3452	DB.EXE
5524	taskmgr.exe
5524	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	4868	firefox.exe
Token: SeDebugPrivilege	4868	firefox.exe
Token: SeDebugPrivilege	4868	firefox.exe
Token: SeDebugPrivilege	4868	firefox.exe
Token: SeDebugPrivilege	4868	firefox.exe
Token: SeDebugPrivilege	4868	firefox.exe
Token: SeDebugPrivilege	4868	firefox.exe
Token: SeDebugPrivilege	4868	firefox.exe
Token: SeShutdownPrivilege	1400	rundll32.exe
Token: SeDebugPrivilege	1400	rundll32.exe
Token: SeTcbPrivilege	1400	rundll32.exe
Token: SeDebugPrivilege	3860	FA8E.tmp
Token: SeDebugPrivilege	3856	taskmgr.exe
Token: SeSystemProfilePrivilege	3856	taskmgr.exe
Token: SeCreateGlobalPrivilege	3856	taskmgr.exe
Token: SeDebugPrivilege	4868	firefox.exe
Token: 33	3856	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3856	taskmgr.exe
Token: SeShutdownPrivilege	4620	rundll32.exe
Token: SeDebugPrivilege	4620	rundll32.exe
Token: SeTcbPrivilege	4620	rundll32.exe
Token: SeShutdownPrivilege	2300	rundll32.exe
Token: SeDebugPrivilege	2300	rundll32.exe
Token: SeTcbPrivilege	2300	rundll32.exe
Token: SeShutdownPrivilege	2288	rundll32.exe
Token: SeDebugPrivilege	2288	rundll32.exe
Token: SeTcbPrivilege	2288	rundll32.exe
Token: SeDebugPrivilege	4868	firefox.exe
Token: SeShutdownPrivilege	3452	[email protected]
Token: SeCreatePagefilePrivilege	3452	[email protected]
Token: SeDebugPrivilege	4868	firefox.exe
Token: SeDebugPrivilege	2880	taskkill.exe
Token: SeDebugPrivilege	4868	firefox.exe
Token: SeTcbPrivilege	1296	svchost.exe
Token: SeRestorePrivilege	1296	svchost.exe
Token: SeDebugPrivilege	4868	firefox.exe
Token: SeDebugPrivilege	3452	DB.EXE
Token: SeShutdownPrivilege	5204	SB.EXE
Token: SeDebugPrivilege	5524	taskmgr.exe
Token: SeSystemProfilePrivilege	5524	taskmgr.exe
Token: SeCreateGlobalPrivilege	5524	taskmgr.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
4868	firefox.exe
4868	firefox.exe
4868	firefox.exe
4868	firefox.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
4868	firefox.exe
4868	firefox.exe
4868	firefox.exe
4868	firefox.exe
4868	firefox.exe
4868	firefox.exe
5524	taskmgr.exe
5524	taskmgr.exe

Suspicious use of SendNotifyMessage 61 IoCs

pid	Process
4868	firefox.exe
4868	firefox.exe
4868	firefox.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
3856	taskmgr.exe
4868	firefox.exe
4868	firefox.exe
4868	firefox.exe
4868	firefox.exe
4868	firefox.exe
4868	firefox.exe
5524	taskmgr.exe
5524	taskmgr.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
4868	firefox.exe
4868	firefox.exe
4868	firefox.exe
4868	firefox.exe
4868	firefox.exe
4868	firefox.exe
4868	firefox.exe
4868	firefox.exe
4868	firefox.exe
4868	firefox.exe
4868	firefox.exe
4868	firefox.exe
4868	firefox.exe
4868	firefox.exe
4868	firefox.exe
4868	firefox.exe
4868	firefox.exe
4868	firefox.exe
4868	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 4868	2212	firefox.exe	75
PID 2212 wrote to memory of 4868	2212	firefox.exe	75
PID 2212 wrote to memory of 4868	2212	firefox.exe	75
PID 2212 wrote to memory of 4868	2212	firefox.exe	75
PID 2212 wrote to memory of 4868	2212	firefox.exe	75
PID 2212 wrote to memory of 4868	2212	firefox.exe	75
PID 2212 wrote to memory of 4868	2212	firefox.exe	75
PID 2212 wrote to memory of 4868	2212	firefox.exe	75
PID 2212 wrote to memory of 4868	2212	firefox.exe	75
PID 2212 wrote to memory of 4868	2212	firefox.exe	75
PID 2212 wrote to memory of 4868	2212	firefox.exe	75
PID 4868 wrote to memory of 308	4868	firefox.exe	76
PID 4868 wrote to memory of 308	4868	firefox.exe	76
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 2324	4868	firefox.exe	77
PID 4868 wrote to memory of 3932	4868	firefox.exe	78
PID 4868 wrote to memory of 3932	4868	firefox.exe	78
PID 4868 wrote to memory of 3932	4868	firefox.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\image.png
1⤵
PID:3936

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.0.197936959\1805026343" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1680 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {34981258-43c0-458b-a2ef-9d61e418bde1} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 1780 257acce9658 gpu
    3⤵
    PID:308
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.1.1317747283\214946324" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2c14508-0352-4fa2-b2ed-fa93a15dab87} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 2136 257a1c72b58 socket
    3⤵
    PID:2324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.2.1994417575\1633563562" -childID 1 -isForBrowser -prefsHandle 3012 -prefMapHandle 2740 -prefsLen 20866 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {53b907c9-2b6e-402d-99fc-663fdb996a34} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 2952 257b0fe1a58 tab
    3⤵
    PID:3932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.3.26615951\1001336606" -childID 2 -isForBrowser -prefsHandle 3556 -prefMapHandle 3552 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f220d2ec-89e4-4f07-832d-dd794ab934dd} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 3560 257a1c5b258 tab
    3⤵
    PID:2568
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.4.1523370658\365544766" -childID 3 -isForBrowser -prefsHandle 3996 -prefMapHandle 3992 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a283bf83-f9ce-415d-a046-5f0d1e7ca2ff} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 4020 257b2651058 tab
    3⤵
    PID:3104
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.5.379592437\1990486161" -childID 4 -isForBrowser -prefsHandle 4764 -prefMapHandle 4804 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c4ab920-9ecb-42d7-a305-86377f6a7ab7} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 4916 257acc0bd58 tab
    3⤵
    PID:2308
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.6.558460575\2096624951" -childID 5 -isForBrowser -prefsHandle 5052 -prefMapHandle 5056 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad5d2511-af19-42d9-8864-d35a2837579a} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 4936 257b33fdb58 tab
    3⤵
    PID:1508
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.7.1182595874\208413817" -childID 6 -isForBrowser -prefsHandle 5268 -prefMapHandle 5272 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {42a3e2c5-9b7b-4bfd-91a4-b09885ab3e0d} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 4916 257b3a1c858 tab
    3⤵
    PID:2208
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.8.504915352\1312421055" -childID 7 -isForBrowser -prefsHandle 5588 -prefMapHandle 5584 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7a940b0-6c19-473a-a82f-3e999d278eb0} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 5600 257acfef958 tab
    3⤵
    PID:3124
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.9.1512161648\1433922087" -parentBuildID 20221007134813 -prefsHandle 5600 -prefMapHandle 5764 -prefsLen 26503 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a649a75-a732-477c-ba62-e130af99c8f9} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 5836 257b4ef8358 rdd
    3⤵
    PID:1344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.10.514528037\2136655443" -childID 8 -isForBrowser -prefsHandle 5716 -prefMapHandle 5624 -prefsLen 26503 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {92fa5ae5-2c20-405f-8371-084447cbc33d} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 2988 257b4ef8f58 tab
    3⤵
    PID:1404
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.11.1471468459\644443341" -childID 9 -isForBrowser -prefsHandle 5144 -prefMapHandle 3756 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {46805f91-fa1b-4eb3-b0f2-29c1e3234f4d} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 5148 257b5228c58 tab
    3⤵
    PID:3184
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.12.1538220543\2132039120" -childID 10 -isForBrowser -prefsHandle 5280 -prefMapHandle 2696 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed3f51ec-ffe6-42df-9ccb-e55b7a0ad59f} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 5804 257b5227d58 tab
    3⤵
    PID:5052
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.13.268674040\601469055" -childID 11 -isForBrowser -prefsHandle 5340 -prefMapHandle 4112 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e4c64c29-da29-4cc7-9e8b-a9a8af9e43d3} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 4424 257b62b3f58 tab
    3⤵
    PID:5072
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.14.1393475650\1657406452" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 5856 -prefMapHandle 4460 -prefsLen 26768 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {186f8f3f-3434-4d59-bf3c-4b5de19b165d} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 4684 257b67e3158 utility
    3⤵
    PID:4504
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4868.15.198921445\797165711" -childID 12 -isForBrowser -prefsHandle 6240 -prefMapHandle 5868 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1324 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e38fc8cd-b001-4fb8-8e65-03f143d74ab2} 4868 "\\.\pipe\gecko-crash-server-pipe.4868" 6220 257b44c2958 tab
    3⤵
    PID:4644

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3064

C:\Users\Admin\Pictures\[email protected]
"C:\Users\Admin\Pictures\[email protected]"
1⤵
- Drops file in Windows directory
PID:3308
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1400
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    PID:4088
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      PID:3096
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1544923185 && exit"
    3⤵
    PID:1260
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1544923185 && exit"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4844
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 13:50:00
    3⤵
    PID:3412
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 13:50:00
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2864
- - C:\Windows\FA8E.tmp
    "C:\Windows\FA8E.tmp" \\.\pipe\{BC39B3B2-C791-44C1-A68F-C9DF707F575B}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3860

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3856

C:\Users\Admin\Pictures\[email protected]
"C:\Users\Admin\Pictures\[email protected]"
1⤵
- Drops file in Windows directory
PID:3256
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4620

C:\Users\Admin\Pictures\[email protected]
"C:\Users\Admin\Pictures\[email protected]"
1⤵
- Drops file in Windows directory
PID:4488
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2300

C:\Users\Admin\Pictures\[email protected]
"C:\Users\Admin\Pictures\[email protected]"
1⤵
- Drops file in Windows directory
PID:2444
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2288

C:\Users\Admin\Music\[email protected]
"C:\Users\Admin\Music\[email protected]"
1⤵
- Drops startup file
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3452
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:1360
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall reset
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:4620
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___GG49MH_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:560
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___R64LG_.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2248
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "E" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit
  2⤵
  PID:1408
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "E"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2880
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4844

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___GG49MH_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
PID:5100

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1296
- C:\Windows\system32\dashost.exe
  dashost.exe {540cba09-583e-446c-8141bc16fd9bd116}
  2⤵
  PID:5068

C:\Users\Admin\Pictures\[email protected]
"C:\Users\Admin\Pictures\[email protected]"
1⤵
PID:2924
- C:\Users\Admin\AppData\Local\Temp\AV.EXE
  "C:\Users\Admin\AppData\Local\Temp\AV.EXE"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:1472
- C:\Users\Admin\AppData\Local\Temp\AV2.EXE
  "C:\Users\Admin\AppData\Local\Temp\AV2.EXE"
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Users\Admin\AppData\Local\Temp\DB.EXE
  "C:\Users\Admin\AppData\Local\Temp\DB.EXE"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3452
- - C:\Windows\SysWOW64\cmd.exe
    /c C:\Users\Admin\AppData\Local\Temp\~unins2187.bat "C:\Users\Admin\AppData\Local\Temp\DB.EXE"
    3⤵
    PID:5988
- C:\Users\Admin\AppData\Local\Temp\EN.EXE
  "C:\Users\Admin\AppData\Local\Temp\EN.EXE"
  2⤵
  - Executes dropped EXE
  PID:5140
- C:\Users\Admin\AppData\Local\Temp\SB.EXE
  "C:\Users\Admin\AppData\Local\Temp\SB.EXE"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of AdjustPrivilegeToken
  PID:5204

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5524

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:5564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

System Information Discovery