banload | 867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-11-2024 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exe
Size

3.3MB
MD5

fc8c310f416f252bd419dc55cc08e7a9
SHA1

37c58bd11af4de0b0c2aa744b142cc38660bfd4f
SHA256

867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d
SHA512

bb45a141c53f9917473a691ae3889fe7ce06d96682ff33eced5d20b1e8972fde75cbb26ea9e4ca799211c0cd2b5e8a3a9977a200796a5c285d0fcb0d71e5491c
SSDEEP

98304:AXz+HqdYDMjxN3b8/rfb6ray6lwhKW8NArojH:oKHqCm8/n6WWhKdA8j

Score

10^/10

banload credential_access discovery downloader dropper persistence ransomware spyware stealer trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

update_kor.exesvchost.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	update_kor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	update_kor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exe

Drops startup file 1 IoCs

Processes:

867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\èíôîðìåð.txt	867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exe

Executes dropped EXE 6 IoCs

Processes:

svchost.exeupdate_kor.exesvchost.exeupdate_kor.exeupdate_kor.exesvchost.exe

pid	Process
3584	svchost.exe
1568	update_kor.exe
2740	svchost.exe
2432	update_kor.exe
4408	update_kor.exe
4180	svchost.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winrar = "C:\\Users\\Admin\\AppData\\Local\\winrar.exe"	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
19	whatismyip.akamai.com

Drops file in System32 directory 43 IoCs

Processes:

svchost.exe

description	ioc	Process
File opened for modification	\??\c:\Windows\SysWOW64\de-DE\lipeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\de-DE\lpeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\en-US\Licenses\Volume\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\fr-FR\Licenses\OEM\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\uk-UA\Licenses\Volume\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\en-US\Licenses\_Default\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\uk-UA\lpeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\uk-UA\Licenses\_Default\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\de-DE\Licenses\_Default\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\es-ES\Licenses\_Default\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\fr-FR\lipeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\ja-JP\lipeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\Licenses\neutral\OEM\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\Licenses\neutral\_Default\Professional\de-license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\Licenses\neutral\_Default\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\uk-UA\lipeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\de-DE\Licenses\OEM\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\Licenses\OEM\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\MSDRM\MsoIrmProtector.xls	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\es-ES\lipeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\fr-FR\Licenses\Volume\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\fr-FR\lpeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\ja-JP\Licenses\Volume\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\Licenses\neutral\OEM\Professional\de-license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\en-US\Licenses\OEM\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\en-US\lpeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\es-ES\lpeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\ja-JP\Licenses\OEM\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\ja-JP\Licenses\_Default\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\ja-JP\lpeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\uk-UA\Licenses\OEM\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\de-DE\Licenses\Volume\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\en-US\lipeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\lipeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\es-ES\Licenses\OEM\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\es-ES\Licenses\Volume\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\fr-FR\Licenses\_Default\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\Licenses\Volume\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\Licenses\_Default\Professional\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\it-IT\lpeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\SysWOW64\Licenses\neutral\Volume\Professional\license.rtf	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\ttt.jpg"	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

update_kor.exesvchost.exe

description	pid	Process	procid_target
PID 2432 set thread context of 4408	2432	update_kor.exe	101
PID 2740 set thread context of 4180	2740	svchost.exe	105

Drops file in Program Files directory 64 IoCs

Processes:

svchost.exe

description	ioc	Process
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_04.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\0.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets	svchost.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrome.7z	svchost.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\fre\StartMenu_Win10_RTL.mp4	svchost.exe
File opened for modification	\??\c:\Program Files\ShowMerge.iso	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\1.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\combine_poster.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\optimize_poster.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MotionController_Hero.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_06.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_01.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\SmartSelect\Magic_Select_crop_handles.mp4	svchost.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\Media Renderer\DMR_120.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\34.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\adobe-old-	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\10.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Hedge.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\video_offline_demo_page1.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\accessibility_poster.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\2.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\39.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\no_camera_dialog_image01.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg3.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MotionController_Pair.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleAppAssets\Videos\people_fre_motionAsset_p2.mp4	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\en-us\3.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.JPG	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\13.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\3.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MotionController_Diagram.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_Cliffhouse.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf	svchost.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\Windows\SHELLNEW\EXCEL12.XLSX	svchost.exe
File opened for modification	C:\Program Files (x86)\Ñóäåáíûå Ïðèñòàâû ÐÔ\èíôîðìàöèîííûé áþëëåòåíü\LTR.jpg	svchost.exe
File opened for modification	C:\Program Files (x86)\Ñóäåáíûå Ïðèñòàâû ÐÔ\èíôîðìàöèîííûé áþëëåòåíü\logo.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\15.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\40.jpg	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\forms_poster.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_Success.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericEnglish-1.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\ImportRepair.3gp	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\15.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\GenericIntl-1.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\music_offline_demo_page1.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\Help\DialRotation.mp4	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\SmartSelect\Magic_Select_remove_tool.mp4	svchost.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\scan_poster.jpg	svchost.exe
File opened for modification	C:\Program Files (x86)\Ñóäåáíûå Ïðèñòàâû ÐÔ\èíôîðìàöèîííûé áþëëåòåíü\es_b4637444f479d524\OOBE_HELP_Opt_in_Details.rtf	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Marble.jpg	svchost.exe
File opened for modification	C:\Program Files (x86)\Ñóäåáíûå Ïðèñòàâû ÐÔ\èíôîðìàöèîííûé áþëëåòåíü\fr_571aea43e74beb86\OOBE_HELP_Opt_in_Details.rtf	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\82.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\32.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\75.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\Background_RoomTracing_Error.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\28.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\75.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\40.jpg	svchost.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\fre\StartMenu_Win8_RTL.mp4	svchost.exe

Drops file in Windows directory 64 IoCs

Processes:

svchost.exe

description	ioc	Process
File opened for modification	\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\security_watermark.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-fax-common_31bf3856ad364e35_10.0.19041.1_none_c1f5bc6ceffe0e16\WelcomeScan.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-fax-common_31bf3856ad364e35_10.0.19041.906_none_ea293d31af4f56ea\WelcomeScan.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-l..se-oem-professional_31bf3856ad364e35_10.0.19041.1288_none_def92cfd289b607e\r\de-license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_10.0.19041.1266_none_8a8440f738abd1b9\DMR_120.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_6fa7e5bbaa15a17d\help.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-t..nbackgrounds-client_31bf3856ad364e35_10.0.19041.1_none_9307d11798cf436b\img100.jpg	svchost.exe
File opened for modification	\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-h..atement_r.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_afa6bb36272cae6c\privacy.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1266_en-us_d25578c60e6349b8\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\x86_microsoft-windows-l..efault-professional_31bf3856ad364e35_10.0.19041.1288_none_b39472f9da00dbd0\r\de-license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme1_31bf3856ad364e35_10.0.19041.1_none_8ccb1090444b78d3\img2.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_27faaee495997877\ASPdotNET_logo.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\wow64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_en-us_bccdda8b17992b69\lipeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\wow64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_e6d709a245b459a8\lipeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_dc825f50115397ad\lpeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_d41f26718364aca2\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_27faaee495997877\topGradRepeat.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\wow64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_eb9e22c1d4df2ac9\lpeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-h..atement_r.resources_31bf3856ad364e35_10.0.19041.1_es-es_0cef4537345a980a\privacy.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-wmpnss-service_31bf3856ad364e35_10.0.19041.746_none_e180169f2d62e633\wmpnss_color120.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_multipoint-logcollector_31bf3856ad364e35_10.0.19041.1_none_56138d203a7fc4cf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\x86_microsoft-windows-l..efault-professional_31bf3856ad364e35_10.0.19041.1288_none_b39472f9da00dbd0\r\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_es-es_b72d74244058fa79\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\Web\Wallpaper\Theme1\img13.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-analog-h2-physicsplugin-baked_31bf3856ad364e35_10.0.19041.1_none_5fb69e670630e91d\typecompendium.hkdoc	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\x86_microsoft-windows-l..efault-professional_31bf3856ad364e35_10.0.19041.264_none_1cae6d5283b277ed\de-license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-l..se-oem-professional_31bf3856ad364e35_10.0.19041.1288_none_def92cfd289b607e\de-license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-l..se-oem-professional_31bf3856ad364e35_10.0.19041.264_none_48132755d24cfc9b\de-license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_de-de_0e7141475153fd0f\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\img9.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_es-es_4dc2b8ba9d12fed2\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\x86_microsoft-windows-l..se-oem-professional_31bf3856ad364e35_10.0.19041.1288_none_82da9179703def48\r\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_6fa7e5bbaa15a17d\topGradRepeat.jpg	svchost.exe
File opened for modification	\??\c:\Windows\Web\Wallpaper\Theme1\img2.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\img7.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_78008aedcb073b6c\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\x86_microsoft-windows-l..se-oem-professional_31bf3856ad364e35_10.0.19041.1288_none_82da9179703def48\f\de-license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\x86_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_7ab11546ceb3decd\security_watermark.jpg	svchost.exe
File opened for modification	\??\c:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\help.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-h..statement.resources_31bf3856ad364e35_10.0.19041.1_es-es_e5eddc7a9d074a71\vofflps.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-t..nbackgrounds-client_31bf3856ad364e35_10.0.19041.1_none_9307d11798cf436b\img102.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-t..nbackgrounds-client_31bf3856ad364e35_10.0.19041.1_none_9307d11798cf436b\img104.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_27faaee495997877\help.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_netfx4-aspnet_webadmin_images_b03f5f7f11d50a3a_4.0.15805.0_none_3303de6fba37b5c7\security_watermark.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\wow64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_es-es_bc99376f17c01d0e\lipeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.1_none_ce10e80fc93afe5c\MsoIrmProtector.xls	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\wow64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_f619255888acbca6\MsoIrmProtector.doc	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\x86_netfx-aspnet_webadmin_images_b03f5f7f11d50a3a_10.0.19041.1_none_6fa7e5bbaa15a17d\darkBlue_GRAD.jpg	svchost.exe
File opened for modification	\??\c:\Windows\Web\Wallpaper\Theme2\img11.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_es-es_550c9e7e751118c8\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\x86_microsoft-windows-l..efault-professional_31bf3856ad364e35_10.0.19041.264_none_1cae6d5283b277ed\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1_it-it_440ce06a0a5cf659\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-l..-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_es-es_b2448d1ce35f5b13\lipeula.rtf	svchost.exe
File opened for modification	\??\c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\security_watermark.jpg	svchost.exe
File opened for modification	\??\c:\Windows\Web\Screen\img105.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-l..efault-professional_31bf3856ad364e35_10.0.19041.1288_none_0fb30e7d925e4d06\f\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-r..t-office-protectors_31bf3856ad364e35_10.0.19041.746_none_ebc47b06544bfaab\MsoIrmProtector.doc	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\x86_microsoft-windows-l..se-oem-professional_31bf3856ad364e35_10.0.19041.1288_none_82da9179703def48\f\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\Web\Screen\img102.jpg	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-h..indetails.resources_31bf3856ad364e35_10.0.19041.423_en-us_dcb2edf1b3b7266d\f	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1266_en-us_1416079c8abdf6d1\r\license.rtf	svchost.exe
File opened for modification	\??\c:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\img10.jpg	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

update_kor.exesvchost.exeupdate_kor.exeupdate_kor.exesvchost.execmd.exe867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exesvchost.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update_kor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update_kor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update_kor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

update_kor.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	update_kor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	update_kor.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	update_kor.exe

Modifies Control Panel 3 IoCs

evasion

Processes:

svchost.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\Desktop	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\Desktop\	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe

Modifies registry class 35 IoCs

Processes:

update_kor.exesvchost.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\InprocServer32\15.0.0.0	update_kor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\LocalServer32	update_kor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\InprocServer32\Assembly = "Microsoft.Office.Interop.Word, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\InprocHandler32\ = "ole32.dll"	update_kor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\InprocServer32\Assembly = "Microsoft.Office.Interop.Word, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	update_kor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\InprocServer32\15.0.0.0\Assembly = "Microsoft.Office.Interop.Word, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}	update_kor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\ = "Microsoft Word Application"	update_kor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\InprocServer32\15.0.0.0	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\InprocServer32\15.0.0.0\RuntimeVersion = "v2.0.50727"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\InprocServer32	update_kor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\LocalServer32\ = "\"C:\\Program Files\\Microsoft Office\\Root\\Office16\\WINWORD.EXE\" /Automation"	update_kor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\InprocServer32\RuntimeVersion = "v2.0.50727"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\VersionIndependentProgID	update_kor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\ = "Microsoft Word Application"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\InprocHandler32	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\LocalServer32\ = "\"C:\\Program Files\\Microsoft Office\\Root\\Office16\\WINWORD.EXE\" /Automation"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\VersionIndependentProgID	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\InprocServer32\15.0.0.0\Class = "Microsoft.Office.Interop.Word.ApplicationClass"	update_kor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\InprocServer32\15.0.0.0\RuntimeVersion = "v2.0.50727"	update_kor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\InprocServer32	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\InprocServer32\15.0.0.0\Class = "Microsoft.Office.Interop.Word.ApplicationClass"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\LocalServer32	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\ProgID	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\InprocServer32\Class = "Microsoft.Office.Interop.Word.ApplicationClass"	update_kor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\VersionIndependentProgID\ = "Word.Application"	update_kor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\InprocServer32\Class = "Microsoft.Office.Interop.Word.ApplicationClass"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\ProgID\ = "Word.Application.16"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\VersionIndependentProgID\ = "Word.Application"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\InprocHandler32	update_kor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\InprocServer32\RuntimeVersion = "v2.0.50727"	update_kor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\InprocServer32\15.0.0.0\Assembly = "Microsoft.Office.Interop.Word, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	update_kor.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\ProgID	update_kor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\ProgID\ = "Word.Application.16"	update_kor.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7A153E2-A7A1-53E2-A7A1-53E2A7A153E2}\InprocHandler32\ = "ole32.dll"	svchost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

update_kor.exe

pid	Process
4408	update_kor.exe
4408	update_kor.exe
4408	update_kor.exe
4408	update_kor.exe
4408	update_kor.exe
4408	update_kor.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

update_kor.exesvchost.exe

description	pid	Process
Token: 33	2432	update_kor.exe
Token: SeIncBasePriorityPrivilege	2432	update_kor.exe
Token: 33	2432	update_kor.exe
Token: SeIncBasePriorityPrivilege	2432	update_kor.exe
Token: 33	2740	svchost.exe
Token: SeIncBasePriorityPrivilege	2740	svchost.exe
Token: 33	2740	svchost.exe
Token: SeIncBasePriorityPrivilege	2740	svchost.exe

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exesvchost.exeupdate_kor.exeupdate_kor.exesvchost.exesvchost.exe

description	pid	Process	procid_target
PID 5084 wrote to memory of 3584	5084	867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exe	86
PID 5084 wrote to memory of 3584	5084	867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exe	86
PID 5084 wrote to memory of 3584	5084	867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exe	86
PID 5084 wrote to memory of 1568	5084	867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exe	87
PID 5084 wrote to memory of 1568	5084	867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exe	87
PID 5084 wrote to memory of 1568	5084	867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exe	87
PID 3584 wrote to memory of 2740	3584	svchost.exe	88
PID 3584 wrote to memory of 2740	3584	svchost.exe	88
PID 3584 wrote to memory of 2740	3584	svchost.exe	88
PID 3584 wrote to memory of 2740	3584	svchost.exe	88
PID 1568 wrote to memory of 2432	1568	update_kor.exe	89
PID 1568 wrote to memory of 2432	1568	update_kor.exe	89
PID 1568 wrote to memory of 2432	1568	update_kor.exe	89
PID 1568 wrote to memory of 2432	1568	update_kor.exe	89
PID 3584 wrote to memory of 2740	3584	svchost.exe	88
PID 1568 wrote to memory of 2432	1568	update_kor.exe	89
PID 1568 wrote to memory of 2432	1568	update_kor.exe	89
PID 1568 wrote to memory of 2432	1568	update_kor.exe	89
PID 3584 wrote to memory of 2740	3584	svchost.exe	88
PID 3584 wrote to memory of 2740	3584	svchost.exe	88
PID 1568 wrote to memory of 2432	1568	update_kor.exe	89
PID 1568 wrote to memory of 2432	1568	update_kor.exe	89
PID 2432 wrote to memory of 4408	2432	update_kor.exe	101
PID 2432 wrote to memory of 4408	2432	update_kor.exe	101
PID 2432 wrote to memory of 4408	2432	update_kor.exe	101
PID 2432 wrote to memory of 4408	2432	update_kor.exe	101
PID 2432 wrote to memory of 4408	2432	update_kor.exe	101
PID 3584 wrote to memory of 2740	3584	svchost.exe	88
PID 3584 wrote to memory of 2740	3584	svchost.exe	88
PID 2740 wrote to memory of 4180	2740	svchost.exe	105
PID 2740 wrote to memory of 4180	2740	svchost.exe	105
PID 2740 wrote to memory of 4180	2740	svchost.exe	105
PID 2740 wrote to memory of 4180	2740	svchost.exe	105
PID 2740 wrote to memory of 4180	2740	svchost.exe	105
PID 4180 wrote to memory of 4332	4180	svchost.exe	108
PID 4180 wrote to memory of 4332	4180	svchost.exe	108
PID 4180 wrote to memory of 4332	4180	svchost.exe	108

C:\Users\Admin\AppData\Local\Temp\867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exe
"C:\Users\Admin\AppData\Local\Temp\867a698567e61aea24aeff1767619b9494a5dfcf8fd63c7282c29c42c8dfac1d.exe"
1⤵
- Checks computer location settings
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Program Files (x86)\Ñóäåáíûå Ïðèñòàâû ÐÔ\èíôîðìàöèîííûé áþëëåòåíü\svchost.exe
  "C:\Program Files (x86)\Ñóäåáíûå Ïðèñòàâû ÐÔ\èíôîðìàöèîííûé áþëëåòåíü\svchost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Program Files (x86)\Ñóäåáíûå Ïðèñòàâû ÐÔ\èíôîðìàöèîííûé áþëëåòåíü\svchost.exe
    "C:\Program Files (x86)\Ñóäåáíûå Ïðèñòàâû ÐÔ\èíôîðìàöèîííûé áþëëåòåíü\svchost.exe"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Program Files (x86)\Ñóäåáíûå Ïðèñòàâû ÐÔ\èíôîðìàöèîííûé áþëëåòåíü\svchost.exe
      "C:\Program Files (x86)\Ñóäåáíûå Ïðèñòàâû ÐÔ\èíôîðìàöèîííûé áþëëåòåíü\svchost.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Sets desktop wallpaper using registry
      Drops file in Program Files directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      Suspicious use of WriteProcessMemory
      PID:4180
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mmm.bat
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4332
- C:\Program Files (x86)\Ñóäåáíûå Ïðèñòàâû ÐÔ\èíôîðìàöèîííûé áþëëåòåíü\update_kor.exe
  "C:\Program Files (x86)\Ñóäåáíûå Ïðèñòàâû ÐÔ\èíôîðìàöèîííûé áþëëåòåíü\update_kor.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Program Files (x86)\Ñóäåáíûå Ïðèñòàâû ÐÔ\èíôîðìàöèîííûé áþëëåòåíü\update_kor.exe
    "C:\Program Files (x86)\Ñóäåáíûå Ïðèñòàâû ÐÔ\èíôîðìàöèîííûé áþëëåòåíü\update_kor.exe"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Program Files (x86)\Ñóäåáíûå Ïðèñòàâû ÐÔ\èíôîðìàöèîííûé áþëëåòåíü\update_kor.exe
      "C:\Program Files (x86)\Ñóäåáíûå Ïðèñòàâû ÐÔ\èíôîðìàöèîííûé áþëëåòåíü\update_kor.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Ñóäåáíûå Ïðèñòàâû ÐÔ\èíôîðìàöèîííûé áþëëåòåíü\mmm.bat

Filesize
17B

MD5
bf55292f19b02c6dd1934f2ea2c6ae9d

SHA1
0dc0e99b63b557bd0eef88422a98bdd944bc0d86

SHA256
0a233cde4c8f447e9de44205506e62fee592a625f9c4e1ee1394a5de9712902e

SHA512
e570ce99327527cd3d63256eac3763ba88e33ff4110bbcbeddce0860e88b45afb8180ef82a01669a6e5205a28353a9fce95a1cd9906da10670f9a7c9d947c500

Download Submit
C:\Program Files (x86)\Ñóäåáíûå Ïðèñòàâû ÐÔ\èíôîðìàöèîííûé áþëëåòåíü\svchost.exe

Filesize
3.6MB

MD5
a4d579242cbf6c4761124161bf9e1444

SHA1
6f6c25411ee73052b7e37dc7cbd3d2bdf7de0552

SHA256
07167fead787919772459efaf1a560c683dfa674ed6f8b1b4f7cf980ffdeeda0

SHA512
1d6bffda5074c570a846893d61e42d0920b0bd79ae071bb1471df44d21c2ab30f2e9efbbc197ea84e3441a4ed58f541d2ca1c171bb5d94bbf1e15cb52e296e8f

Download Submit
C:\Program Files (x86)\Ñóäåáíûå Ïðèñòàâû ÐÔ\èíôîðìàöèîííûé áþëëåòåíü\update_kor.exe

Filesize
3.0MB

MD5
8fd9f85c03159c229734734c1c60277c

SHA1
db142eed904c4a9f7d689dc7c128f35c14dfe50b

SHA256
aedb77172cc2a283957bf992b75f26cfe747d274edae7ad2d62dda841cf7cdef

SHA512
0d0006d1b146db6ed3a320ef73eece5d477bff4a7d5f022f59c456d617fe485650ad6e51c4fd8e896d46a23dc9c2679b958e8d47d8ddcabddeae91abc47442f6

Download Submit
C:\ProgramData\TEMP\RAIDTest

Filesize
4B

MD5
c2f09542b6c7daf4288f3524c8cebb18

SHA1
9430b21baf07f0d105b9ee5fdd9f868418454517

SHA256
55d7808233c58f1606fff77eb382a02ed729bf5d8b2640fb313d0f7c91e970d4

SHA512
dcc19cfbc78b78708ce2586228424194f846d80b6d072045baaf93559d20f71e809a4eb57e7dac3b4ea109d90aeb585d0b5438dc1dd7d34054c03aa6350d6672

Download Submit
C:\Users\Admin\AppData\Local\Temp\NO_PWDS_report_08-11-2024_01-08-37-A3C533590EF2311EE9B53A58957F0C8A-FKFK.bin

Filesize
1KB

MD5
aa199e2ba6bedefc8487da49cbda4af2

SHA1
038ba10ddd6b2f88dc48485cd19d2f1ea7492dbe

SHA256
f828bc8b17d6f85c0ceef6858a9867d5408057d379d3a97ade6ccb01dee2fe34

SHA512
7861b26497e47d7cc2a8c77f2dd2aa4379f835ccf3224086a414a5d0116636c8460476b93914b7a122a990071ab813baae41e5ab7930b868be47f38f0602c230

Download Submit
memory/1568-41-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/1568-84-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/1568-67-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/2432-86-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/2432-72-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/2432-53-0x0000000002B10000-0x0000000002D14000-memory.dmp

Filesize
2.0MB

Download
memory/2432-47-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/2432-64-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/2432-63-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/2432-65-0x0000000002B10000-0x0000000002D14000-memory.dmp

Filesize
2.0MB

Download
memory/2432-82-0x0000000002B10000-0x0000000002D14000-memory.dmp

Filesize
2.0MB

Download
memory/2432-57-0x0000000002B10000-0x0000000002D14000-memory.dmp

Filesize
2.0MB

Download
memory/2432-68-0x0000000002B10000-0x0000000002D14000-memory.dmp

Filesize
2.0MB

Download
memory/2740-76-0x0000000003000000-0x0000000003204000-memory.dmp

Filesize
2.0MB

Download
memory/2740-48-0x0000000003000000-0x0000000003204000-memory.dmp

Filesize
2.0MB

Download
memory/2740-73-0x0000000000400000-0x00000000007CA000-memory.dmp

Filesize
3.8MB

Download
memory/2740-75-0x0000000003000000-0x0000000003204000-memory.dmp

Filesize
2.0MB

Download
memory/2740-74-0x0000000000400000-0x00000000007CA000-memory.dmp

Filesize
3.8MB

Download
memory/2740-52-0x0000000003000000-0x0000000003204000-memory.dmp

Filesize
2.0MB

Download
memory/2740-104-0x0000000000400000-0x00000000007CA000-memory.dmp

Filesize
3.8MB

Download
memory/2740-44-0x0000000000400000-0x00000000007CA000-memory.dmp

Filesize
3.8MB

Download
memory/2740-101-0x0000000003000000-0x0000000003204000-memory.dmp

Filesize
2.0MB

Download
memory/2740-70-0x0000000000400000-0x00000000007CA000-memory.dmp

Filesize
3.8MB

Download
memory/3584-102-0x0000000000400000-0x00000000007CA000-memory.dmp

Filesize
3.8MB

Download
memory/3584-66-0x0000000000400000-0x00000000007CA000-memory.dmp

Filesize
3.8MB

Download
memory/3584-36-0x0000000000400000-0x00000000007CA000-memory.dmp

Filesize
3.8MB

Download
memory/4180-106-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4180-107-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4180-863-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/4408-98-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4408-83-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/5084-40-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download