wannacry | hxxps://www[.]nvidia[.]com/en-au/geforce/geforce-experience/download/

Resubmissions

14-11-2024 23:22

241114-3cks1syldm 8

14-11-2024 11:35

241114-nqg7qayekf 10

Analysis

max time kernel
1049s
max time network
1058s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2024 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.nvidia.com/en-au/geforce/geforce-experience/download/

Score

10^/10

wannacry defense_evasion discovery execution impact persistence phishing ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file
A potential corporate email address has been identified in the URL: 9E1005A551ED61CA0A490D45@AdobeOrg
phishing
A potential corporate email address has been identified in the URL: D6FAAFAD54CA9F560A4C98A5@AdobeOrg
phishing
A potential corporate email address has been identified in the URL: F207D74D549850760A4C98C6@AdobeOrg
phishing
A potential corporate email address has been identified in the URL: OpenSansitalwght@0400
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GeForce_Experience_v3.28.0.417.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	GeForce_Experience_v3.28.0.417.exe

Drops startup file 2 IoCs

Processes:

WannaCry.EXE

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD2A33.tmp	WannaCry.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD2A4A.tmp	WannaCry.EXE

Executes dropped EXE 17 IoCs

Processes:

GeForce_Experience_v3.28.0.417.exesetup.exeWannaCry.EXEtaskdl.exeWannaCry.EXE@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]

pid	Process
4768	GeForce_Experience_v3.28.0.417.exe
1780	setup.exe
844	WannaCry.EXE
4604	taskdl.exe
4732	WannaCry.EXE
7860	@[email protected]
7928	@[email protected]
4016	taskhsvc.exe
4080	taskdl.exe
100	taskse.exe
6632	@[email protected]
3824	taskdl.exe
8444	taskse.exe
7808	@[email protected]
10168	taskdl.exe
7108	taskse.exe
9688	@[email protected]

Loads dropped DLL 25 IoCs

Processes:

setup.exeRunDll32.EXEtaskhsvc.exe

pid	Process
1780	setup.exe
1780	setup.exe
1780	setup.exe
1780	setup.exe
1780	setup.exe
1780	setup.exe
1780	setup.exe
1780	setup.exe
1780	setup.exe
1780	setup.exe
1780	setup.exe
1780	setup.exe
1780	setup.exe
1780	setup.exe
1780	setup.exe
1780	setup.exe
1880	RunDll32.EXE
4016	taskhsvc.exe
4016	taskhsvc.exe
4016	taskhsvc.exe
4016	taskhsvc.exe
4016	taskhsvc.exe
4016	taskhsvc.exe
4016	taskhsvc.exe
4016	taskhsvc.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exe

pid	Process
5364	icacls.exe
5312	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rxknciwttsoogz987 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\""	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

Processes:

flow	ioc
684	camo.githubusercontent.com
685	camo.githubusercontent.com
698	raw.githubusercontent.com
699	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

WannaCry.EXE@[email protected]

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Program Files directory 64 IoCs

Processes:

setup.exe

description	ioc	Process
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\0409.ui.strings	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\0415.ui.strings	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\frame_divider_bar.png	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\min_pressed.png	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\0000.ui.forms	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\0000.ui.strings	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\installer_bg1.png	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\GFExperience\EULA.html	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\0410.ui.forms	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\040a.ui.strings	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\0410.ui.strings	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\041b.ui.strings	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\close.png	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\primary_btn_enabled.png	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\CoreTemp.{A2940649-1D97-4405-8B73-98DC747F046E}\NVI2UI.dll	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\040b.ui.forms	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\040c.ui.strings	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\041d.ui.strings	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\0804.ui.strings	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\close_focus.png	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\close_pressed.png	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\secondary_btn_enabled.png	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\uninstall_btn_hover.png	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\CoreTemp.{A2940649-1D97-4405-8B73-98DC747F046E}\setup.exe	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\uninstall_btn_enabled.png	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\0411.ui.forms	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\restartnow_btn_enabled.png	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\restartnow_btn_pressed.png	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\0404.ui.forms	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\0405.ui.forms	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\restartnow_btn_hover.png	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\secondary_btn_focused.png	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\0816.ui.forms	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\DynamicBillboardPresentations.dll	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\0409.ui.forms	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\0415.ui.forms	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\041d.ui.forms	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\0407.ui.forms	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\0413.ui.forms	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\0405.ui.strings	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\040e.ui.strings	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\0816.ui.strings	setup.exe
File opened for modification	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\DynamicBillboardPresentations.cfg	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\041f.ui.forms	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\0424.ui.forms	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\040a.ui.forms	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\min_focus.png	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\041e.ui.strings	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\installer_bg2.png	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\Installer_ELA_Splash_bg2a.png	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\0408.ui.strings	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\Installer_ELA_Splash_bg1a.png	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\restartlater_btn_enabled.png	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\theme.cfg	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\040c.ui.forms	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\CoreTemp.{A2940649-1D97-4405-8B73-98DC747F046E}\NvInstallerUtil.dll	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\0809.ui.strings	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\EULA_bg.png	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\041e.ui.forms	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\CoreTemp.{A2940649-1D97-4405-8B73-98DC747F046E}\NVI2.dll	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\DynamicBillboardPresentations.cfg	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\0406.ui.forms	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\0411.ui.strings	setup.exe
File created	C:\Program Files\NVIDIA Corporation\Installer2\installer.{E6DFBDC5-88D1-4A06-B7DD-047094F2851B}\0422.ui.strings	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

attrib.exeWMIC.execmd.exe@[email protected]reg.exetaskse.exetaskdl.exeattrib.execmd.exe@[email protected]icacls.exeattrib.exetaskse.exe@[email protected]taskhsvc.exe@[email protected]GeForce_Experience_v3.28.0.417.exeRunDll32.EXEcmd.exetaskdl.exetaskse.exesetup.exeWannaCry.EXE@[email protected]taskdl.exetaskdl.exeWannaCry.EXEcmd.execscript.exeicacls.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GeForce_Experience_v3.28.0.417.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RunDll32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

setup.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	setup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

reg.exe

pid	Process
7420	reg.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

setup.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe

NTFS ADS 2 IoCs

Processes:

msedge.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 139929.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 163867.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exetaskhsvc.exe

pid	Process
4464	msedge.exe
4464	msedge.exe
2180	msedge.exe
2180	msedge.exe
5104	identity_helper.exe
5104	identity_helper.exe
520	msedge.exe
520	msedge.exe
7224	msedge.exe
7224	msedge.exe
7224	msedge.exe
7224	msedge.exe
10168	msedge.exe
10168	msedge.exe
4016	taskhsvc.exe
4016	taskhsvc.exe
4016	taskhsvc.exe
4016	taskhsvc.exe
4016	taskhsvc.exe
4016	taskhsvc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid	Process
4312	7zFM.exe

Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid	Process
4