adwind | 497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

build.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	build.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	build.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	build.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit
Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
Sality family
sality

UAC bypass 3 TTPs 2 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

Processes:

build.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	build.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Windows security bypass 2 TTPs 12 IoCs

Disable or Modify Tools

Modify Registry

Processes:

svchost.exebuild.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	build.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	build.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	build.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	build.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	build.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	build.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

Processes:

497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	svchost.exe

Deletes itself 1 IoCs

Processes:

build.exe

pid process

4352 build.exe
Executes dropped EXE 7 IoCs

Processes:

build.exebuildmgr.exesvchost.exebuild.exebuildmgr.exesvchost.exesvchostmgr.exe

pid process

4352 build.exe
1508 buildmgr.exe
1764 svchost.exe
5012 build.exe
1832 buildmgr.exe
2636 svchost.exe
1156 svchostmgr.exe
Loads dropped DLL 3 IoCs

Processes:

buildmgr.exebuildmgr.exesvchostmgr.exe

pid process

1508 buildmgr.exe
1832 buildmgr.exe
1156 svchostmgr.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
4352	build.exe

pid	process
4352	build.exe
1508	buildmgr.exe
1764	svchost.exe
5012	build.exe
1832	buildmgr.exe
2636	svchost.exe
1156	svchostmgr.exe

pid	process
1508	buildmgr.exe
1832	buildmgr.exe
1156	svchostmgr.exe

Windows security modification 2 TTPs 14 IoCs

Disable or Modify Tools

Modify Registry

Processes:

svchost.exebuild.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	build.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	build.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	build.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	build.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	build.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	build.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	build.exe

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

Processes:

build.exebuild.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	build.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	build.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	build.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	build.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	build.exe
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	build.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

Processes:

build.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	build.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Enumerates connected drives 3 TTPs 7 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

build.exesvchost.exe

description	ioc	process
File opened (read-only)	\??\G:	build.exe
File opened (read-only)	\??\H:	build.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\E:	build.exe

Drops file in System32 directory 8 IoCs

Processes:

build.exesvchost.exebuild.exe497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191.exe

description	ioc	process
File created	C:\Windows\SysWOW64\buildmgr.exe	build.exe
File opened for modification	C:\Windows\SysWOW64\server.jar	svchost.exe
File opened for modification	C:\Windows\SysWOW64\server1.jar	svchost.exe
File created	C:\Windows\SysWOW64\build.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\buildmgr.exe	build.exe
File created	C:\Windows\SysWOW64\server.jar	497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191.exe
File created	C:\Windows\SysWOW64\server1.jar	497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191.exe
File created	C:\Windows\SysWOW64\build.exe	497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 1764 set thread context of 2636 1764 svchost.exe svchost.exe

description	pid	process	target process
PID 1764 set thread context of 2636	1764	svchost.exe	svchost.exe

UPX packed file 31 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4352-28-0x0000000002230000-0x00000000032BE000-memory.dmp	upx
behavioral2/memory/4352-35-0x0000000002230000-0x00000000032BE000-memory.dmp	upx
behavioral2/memory/4352-38-0x0000000002230000-0x00000000032BE000-memory.dmp	upx
behavioral2/memory/4352-41-0x0000000002230000-0x00000000032BE000-memory.dmp	upx
behavioral2/memory/4352-44-0x0000000002230000-0x00000000032BE000-memory.dmp	upx
behavioral2/memory/4352-51-0x0000000002230000-0x00000000032BE000-memory.dmp	upx
behavioral2/memory/4352-55-0x0000000002230000-0x00000000032BE000-memory.dmp	upx
behavioral2/memory/1508-60-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4352-39-0x0000000002230000-0x00000000032BE000-memory.dmp	upx
behavioral2/memory/4352-36-0x0000000002230000-0x00000000032BE000-memory.dmp	upx
behavioral2/memory/4352-61-0x0000000002230000-0x00000000032BE000-memory.dmp	upx
behavioral2/memory/4352-62-0x0000000002230000-0x00000000032BE000-memory.dmp	upx
behavioral2/memory/4352-63-0x0000000002230000-0x00000000032BE000-memory.dmp	upx
behavioral2/memory/4352-64-0x0000000002230000-0x00000000032BE000-memory.dmp	upx
behavioral2/memory/4352-65-0x0000000002230000-0x00000000032BE000-memory.dmp	upx
behavioral2/memory/4352-75-0x0000000002230000-0x00000000032BE000-memory.dmp	upx
behavioral2/memory/4352-89-0x0000000002230000-0x00000000032BE000-memory.dmp	upx
behavioral2/memory/4352-90-0x0000000002230000-0x00000000032BE000-memory.dmp	upx
behavioral2/memory/4352-91-0x0000000002230000-0x00000000032BE000-memory.dmp	upx
behavioral2/memory/1764-115-0x000000000A700000-0x000000000B78E000-memory.dmp	upx
behavioral2/memory/1764-121-0x000000000A700000-0x000000000B78E000-memory.dmp	upx
behavioral2/memory/1764-120-0x000000000A700000-0x000000000B78E000-memory.dmp	upx
behavioral2/memory/1764-118-0x000000000A700000-0x000000000B78E000-memory.dmp	upx
behavioral2/memory/1764-117-0x000000000A700000-0x000000000B78E000-memory.dmp	upx
behavioral2/memory/1764-119-0x000000000A700000-0x000000000B78E000-memory.dmp	upx
behavioral2/memory/1764-116-0x000000000A700000-0x000000000B78E000-memory.dmp	upx
behavioral2/memory/1764-113-0x000000000A700000-0x000000000B78E000-memory.dmp	upx
behavioral2/memory/1764-122-0x000000000A700000-0x000000000B78E000-memory.dmp	upx
behavioral2/memory/1764-128-0x000000000A700000-0x000000000B78E000-memory.dmp	upx
behavioral2/memory/1764-127-0x000000000A700000-0x000000000B78E000-memory.dmp	upx
behavioral2/memory/1764-130-0x000000000A700000-0x000000000B78E000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

Processes:

build.exe

description ioc process

File opened for modification C:\Windows\SYSTEM.INI build.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4436 1508 WerFault.exe buildmgr.exe
2752 1832 WerFault.exe buildmgr.exe

description	ioc	process
File opened for modification	C:\Windows\SYSTEM.INI	build.exe

pid	pid_target	process	target process
4436	1508	WerFault.exe	buildmgr.exe
2752	1832	WerFault.exe	buildmgr.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

build.exebuildmgr.exesvchost.exesvchostmgr.exe497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191.exebuild.exebuildmgr.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	buildmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchostmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	buildmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies registry class 2 IoCs

Processes:

497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	svchost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

build.exesvchost.exe

pid process

4352 build.exe
4352 build.exe
4352 build.exe
4352 build.exe
1764 svchost.exe
1764 svchost.exe
1764 svchost.exe
1764 svchost.exe

pid	process
4352	build.exe
4352	build.exe
4352	build.exe
4352	build.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe
1764	svchost.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191.exebuild.exesvchost.exebuild.exe

description	pid	process
Token: SeDebugPrivilege	3252	497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191.exe
Token: SeDebugPrivilege	4352	build.exe
Token: SeDebugPrivilege	4352	build.exe
Token: SeDebugPrivilege	4352	build.exe
Token: SeDebugPrivilege	4352	build.exe
Token: SeDebugPrivilege	4352	build.exe
Token: SeDebugPrivilege	4352	build.exe
Token: SeDebugPrivilege	4352	build.exe
Token: SeDebugPrivilege	4352	build.exe
Token: SeDebugPrivilege	4352	build.exe
Token: SeDebugPrivilege	4352	build.exe
Token: SeDebugPrivilege	4352	build.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	4352	build.exe
Token: SeDebugPrivilege	4352	build.exe
Token: SeDebugPrivilege	4352	build.exe
Token: SeDebugPrivilege	4352	build.exe
Token: SeDebugPrivilege	4352	build.exe
Token: SeDebugPrivilege	4352	build.exe
Token: SeDebugPrivilege	4352	build.exe
Token: SeDebugPrivilege	4352	build.exe
Token: SeDebugPrivilege	4352	build.exe
Token: SeDebugPrivilege	4352	build.exe
Token: SeDebugPrivilege	4352	build.exe
Token: SeDebugPrivilege	4352	build.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	5012	build.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe
Token: SeDebugPrivilege	1764	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191.exebuild.exesvchost.exe

description	pid	process	target process
PID 3252 wrote to memory of 3540	3252	497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191.exe	javaw.exe
PID 3252 wrote to memory of 3540	3252	497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191.exe	javaw.exe
PID 3252 wrote to memory of 5036	3252	497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191.exe	javaw.exe
PID 3252 wrote to memory of 5036	3252	497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191.exe	javaw.exe
PID 3252 wrote to memory of 4352	3252	497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191.exe	build.exe
PID 3252 wrote to memory of 4352	3252	497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191.exe	build.exe
PID 3252 wrote to memory of 4352	3252	497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191.exe	build.exe
PID 4352 wrote to memory of 1508	4352	build.exe	buildmgr.exe
PID 4352 wrote to memory of 1508	4352	build.exe	buildmgr.exe
PID 4352 wrote to memory of 1508	4352	build.exe	buildmgr.exe
PID 3252 wrote to memory of 1764	3252	497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191.exe	svchost.exe
PID 3252 wrote to memory of 1764	3252	497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191.exe	svchost.exe
PID 3252 wrote to memory of 1764	3252	497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191.exe	svchost.exe
PID 4352 wrote to memory of 784	4352	build.exe	fontdrvhost.exe
PID 4352 wrote to memory of 792	4352	build.exe	fontdrvhost.exe
PID 4352 wrote to memory of 388	4352	build.exe	dwm.exe
PID 4352 wrote to memory of 696	4352	build.exe	sihost.exe
PID 4352 wrote to memory of 3092	4352	build.exe	svchost.exe
PID 4352 wrote to memory of 3132	4352	build.exe	taskhostw.exe
PID 4352 wrote to memory of 3452	4352	build.exe	Explorer.EXE
PID 4352 wrote to memory of 3572	4352	build.exe	svchost.exe
PID 4352 wrote to memory of 3768	4352	build.exe	DllHost.exe
PID 4352 wrote to memory of 3892	4352	build.exe	StartMenuExperienceHost.exe
PID 4352 wrote to memory of 3984	4352	build.exe	RuntimeBroker.exe
PID 4352 wrote to memory of 4076	4352	build.exe	SearchApp.exe
PID 4352 wrote to memory of 3856	4352	build.exe	RuntimeBroker.exe
PID 4352 wrote to memory of 740	4352	build.exe	RuntimeBroker.exe
PID 4352 wrote to memory of 2132	4352	build.exe	RuntimeBroker.exe
PID 4352 wrote to memory of 4488	4352	build.exe	TextInputHost.exe
PID 4352 wrote to memory of 4680	4352	build.exe	backgroundTaskHost.exe
PID 4352 wrote to memory of 3252	4352	build.exe	497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191.exe
PID 4352 wrote to memory of 4448	4352	build.exe	RuntimeBroker.exe
PID 4352 wrote to memory of 3540	4352	build.exe	javaw.exe
PID 4352 wrote to memory of 1508	4352	build.exe	buildmgr.exe
PID 4352 wrote to memory of 1508	4352	build.exe	buildmgr.exe
PID 4352 wrote to memory of 1764	4352	build.exe	svchost.exe
PID 4352 wrote to memory of 1764	4352	build.exe	svchost.exe
PID 1764 wrote to memory of 536	1764	svchost.exe	javaw.exe
PID 1764 wrote to memory of 536	1764	svchost.exe	javaw.exe
PID 4352 wrote to memory of 784	4352	build.exe	fontdrvhost.exe
PID 4352 wrote to memory of 792	4352	build.exe	fontdrvhost.exe
PID 4352 wrote to memory of 388	4352	build.exe	dwm.exe
PID 4352 wrote to memory of 696	4352	build.exe	sihost.exe
PID 4352 wrote to memory of 3092	4352	build.exe	svchost.exe
PID 4352 wrote to memory of 3132	4352	build.exe	taskhostw.exe
PID 4352 wrote to memory of 3452	4352	build.exe	Explorer.EXE
PID 4352 wrote to memory of 3572	4352	build.exe	svchost.exe
PID 4352 wrote to memory of 3768	4352	build.exe	DllHost.exe
PID 4352 wrote to memory of 3892	4352	build.exe	StartMenuExperienceHost.exe
PID 4352 wrote to memory of 3984	4352	build.exe	RuntimeBroker.exe
PID 4352 wrote to memory of 4076	4352	build.exe	SearchApp.exe
PID 4352 wrote to memory of 3856	4352	build.exe	RuntimeBroker.exe
PID 4352 wrote to memory of 740	4352	build.exe	RuntimeBroker.exe
PID 4352 wrote to memory of 2132	4352	build.exe	RuntimeBroker.exe
PID 4352 wrote to memory of 4488	4352	build.exe	TextInputHost.exe
PID 4352 wrote to memory of 4680	4352	build.exe	backgroundTaskHost.exe
PID 4352 wrote to memory of 4448	4352	build.exe	RuntimeBroker.exe
PID 4352 wrote to memory of 536	4352	build.exe	javaw.exe
PID 1764 wrote to memory of 2720	1764	svchost.exe	javaw.exe
PID 1764 wrote to memory of 2720	1764	svchost.exe	javaw.exe
PID 1764 wrote to memory of 784	1764	svchost.exe	fontdrvhost.exe
PID 1764 wrote to memory of 792	1764	svchost.exe	fontdrvhost.exe
PID 1764 wrote to memory of 388	1764	svchost.exe	dwm.exe
PID 1764 wrote to memory of 696	1764	svchost.exe	sihost.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

Processes:

build.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	build.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

outlook_office_path 1 IoCs

Processes:

build.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	build.exe

outlook_win_path 1 IoCs

Processes:

build.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	build.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:784

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:388

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3092

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3132

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3452
- C:\Users\Admin\AppData\Local\Temp\497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191.exe
  "C:\Users\Admin\AppData\Local\Temp\497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191.exe"
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3252
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Windows\system32\server.jar"
    3⤵
    PID:3540
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Windows\system32\server1.jar"
    3⤵
    PID:5036
- - C:\Windows\SysWOW64\build.exe
    "C:\Windows\system32\build.exe"
    3⤵
    - Modifies firewall policy service
    - UAC bypass
    - Windows security bypass
    - Deletes itself
    - Executes dropped EXE
    - Windows security modification
    - Accesses Microsoft Outlook profiles
    - Checks whether UAC is enabled
    - Enumerates connected drives
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4352
  - - C:\Windows\SysWOW64\buildmgr.exe
      C:\Windows\SysWOW64\buildmgr.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1508
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 484
        5⤵
        Program crash
        
        PID:4436
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Modifies firewall policy service
    - UAC bypass
    - Windows security bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Windows security modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Enumerates connected drives
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1764
  - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Windows\system32\server.jar"
      4⤵
      PID:536
  - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Windows\system32\server1.jar"
      4⤵
      PID:2720
  - - C:\Windows\SysWOW64\build.exe
      "C:\Windows\system32\build.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      outlook_office_path
      outlook_win_path
      PID:5012
    - - C:\Windows\SysWOW64\buildmgr.exe
        
        C:\Windows\SysWOW64\buildmgr.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1832
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 452
        6⤵
        Program crash
        
        PID:2752
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe "
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2636
    - - C:\Users\Admin\AppData\Roaming\svchostmgr.exe
        
        C:\Users\Admin\AppData\Roaming\svchostmgr.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3572

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3768

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3892

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3984

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4076

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3856

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:740

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2132

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4488

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:4680

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1508 -ip 1508
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1832 -ip 1832
1⤵
PID:3844

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1012

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4344

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Modify Registry

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery