sality | cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
Sality family
sality

UAC bypass 3 TTPs 2 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Windows security bypass 2 TTPs 12 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe

Adds policy Run key to start application 2 TTPs 10 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sys = "C:\\WINDOWS\\Fonts\\Fonts.exe"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sys = "C:\\WINDOWS\\Fonts\\Fonts.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sys = "C:\\WINDOWS\\Fonts\\Fonts.exe"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sys = "C:\\WINDOWS\\Fonts\\Fonts.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sys = "C:\\WINDOWS\\Fonts\\Fonts.exe"	system.exe

Drops file in Drivers directory 5 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\drivers\drivers.cab.exe	system.exe
File created	C:\WINDOWS\SysWOW64\drivers\drivers.cab.exe	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
File opened for modification	C:\WINDOWS\SysWOW64\drivers\drivers.cab.exe	Global.exe
File created	C:\WINDOWS\SysWOW64\drivers\drivers.cab.exe	svchost.exe
File created	C:\WINDOWS\SysWOW64\drivers\drivers.cab.exe	system.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\WINDOWS\\Media\\rndll32.pif"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "C:\\WINDOWS\\Fonts\\fonts.exe"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "C:\\WINDOWS\\Fonts\\Fonts.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\WINDOWS\\Fonts\\tskmgr.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\WINDOWS\\Fonts\\tskmgr.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\WINDOWS\\Media\\rndll32.pif"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\WINDOWS\\Media\\rndll32.pif"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "C:\\WINDOWS\\Fonts\\fonts.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "C:\\WINDOWS\\Fonts\\Fonts.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\WINDOWS\\Fonts\\tskmgr.exe"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\WINDOWS\\Fonts\\tskmgr.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\WINDOWS\\Media\\rndll32.pif"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "C:\\WINDOWS\\Fonts\\fonts.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "C:\\WINDOWS\\Fonts\\fonts.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe	svchost.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Global.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe

Executes dropped EXE 4 IoCs

pid	Process
3008	Global.exe
4304	svchost.exe
5048	system.exe
2276	system.exe

Modifies system executable filetype association 2 TTPs 10 IoCs

Modify Registry

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	system.exe

Windows security modification 2 TTPs 14 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe

Adds Run key to start application 2 TTPs 15 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\WINDOWS\\system\\KEYBOARD.exe"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\WINDOWS\\system\\KEYBOARD.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\WINDOWS\\system\\KEYBOARD.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\WINDOWS\\system\\KEYBOARD.exe"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	Global.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\WINDOWS\\system\\KEYBOARD.exe"	system.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Enumerates connected drives 3 TTPs 6 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe

Drops autorun.inf file 1 TTPs 12 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	svchost.exe
File opened for modification	C:\autorun.inf	Global.exe
File created	F:\autorun.inf	Global.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
File created	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	Global.exe
File opened for modification	F:\autorun.inf	Global.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	system.exe
File created	C:\autorun.inf	Global.exe
File opened for modification	D:\autorun.inf	Global.exe
File created	D:\autorun.inf	Global.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E)\Global.exe	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\tskmgr.exe	Global.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	Global.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Global.exe	Global.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache	svchost.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	svchost.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Global.exe	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	svchost.exe
File created	C:\WINDOWS\SysWOW64\dllcache\tskmgr.exe	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache	system.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Default.exe	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Default.exe	Global.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache	Global.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Default.exe	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\	Global.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Default.exe	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	system.exe
File created	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
File created	C:\WINDOWS\SysWOW64\dllcache\svchost.exe	svchost.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	system.exe
File created	C:\WINDOWS\SysWOW64\regedit.exe	system.exe
File created	C:\WINDOWS\SysWOW64\dllcache\svchost.exe	system.exe
File created	C:\WINDOWS\SysWOW64\regedit.exe	system.exe
File created	C:\WINDOWS\SysWOW64\dllcache\tskmgr.exe	Global.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	svchost.exe
File created	C:\WINDOWS\SysWOW64\regedit.exe	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	Global.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	system.exe
File created	C:\WINDOWS\SysWOW64\regedit.exe	Global.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	Global.exe
File created	C:\WINDOWS\SysWOW64\regedit.exe	svchost.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\autorun.inf	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E)\svchost.exe	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
File created	C:\WINDOWS\SysWOW64\dllcache\svchost.exe	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	system.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	system.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	Global.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\svchost.exe	Global.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Global.exe	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Global.exe	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	Global.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Global.exe	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache	system.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	system.exe
File created	C:\WINDOWS\SysWOW64\dllcache\svchost.exe	system.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Default.exe	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
File created	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe	svchost.exe
File opened for modification	C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe	system.exe

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4192-3-0x0000000002BC0000-0x0000000003C7A000-memory.dmp	upx
behavioral2/memory/4192-1-0x0000000002BC0000-0x0000000003C7A000-memory.dmp	upx
behavioral2/memory/4192-6-0x0000000002BC0000-0x0000000003C7A000-memory.dmp	upx
behavioral2/memory/4192-17-0x0000000002BC0000-0x0000000003C7A000-memory.dmp	upx
behavioral2/memory/4192-5-0x0000000002BC0000-0x0000000003C7A000-memory.dmp	upx
behavioral2/memory/4192-4-0x0000000002BC0000-0x0000000003C7A000-memory.dmp	upx
behavioral2/memory/4192-20-0x0000000002BC0000-0x0000000003C7A000-memory.dmp	upx
behavioral2/memory/4192-16-0x0000000002BC0000-0x0000000003C7A000-memory.dmp	upx
behavioral2/memory/4192-19-0x0000000002BC0000-0x0000000003C7A000-memory.dmp	upx
behavioral2/memory/4192-22-0x0000000002BC0000-0x0000000003C7A000-memory.dmp	upx
behavioral2/memory/4192-23-0x0000000002BC0000-0x0000000003C7A000-memory.dmp	upx
behavioral2/memory/4192-24-0x0000000002BC0000-0x0000000003C7A000-memory.dmp	upx
behavioral2/memory/4192-25-0x0000000002BC0000-0x0000000003C7A000-memory.dmp	upx
behavioral2/memory/4192-26-0x0000000002BC0000-0x0000000003C7A000-memory.dmp	upx
behavioral2/memory/4192-111-0x0000000002BC0000-0x0000000003C7A000-memory.dmp	upx
behavioral2/memory/4192-110-0x0000000002BC0000-0x0000000003C7A000-memory.dmp	upx
behavioral2/memory/4304-141-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/4304-156-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/4304-143-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/4304-159-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/4304-158-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/4304-157-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/4304-151-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/4304-142-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/4304-140-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/4304-138-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/4304-165-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/4304-166-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/4304-168-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/4304-177-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/4304-176-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/4304-190-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/4304-202-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx
behavioral2/memory/4304-203-0x0000000002E80000-0x0000000003F3A000-memory.dmp	upx

Drops file in Windows directory 50 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\Cursors\Boom.vbs	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
File opened for modification	C:\WINDOWS\Fonts\tskmgr.exe	Global.exe
File opened for modification	C:\WINDOWS\Cursors\Boom.vbs	system.exe
File created	C:\WINDOWS\Media\rndll32.pif	svchost.exe
File created	C:\WINDOWS\Cursors\Boom.vbs	svchost.exe
File opened for modification	C:\WINDOWS\Cursors\Boom.vbs	svchost.exe
File opened for modification	C:\Windows\SYSTEM.INI	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
File created	C:\WINDOWS\Cursors\Boom.vbs	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
File created	C:\WINDOWS\pchealth\Global.exe	Global.exe
File opened for modification	C:\WINDOWS\Media\rndll32.pif	Global.exe
File created	C:\WINDOWS\Fonts\Fonts.exe	svchost.exe
File created	C:\WINDOWS\Help\microsoft.hlp	system.exe
File created	C:\WINDOWS\Fonts\tskmgr.exe	system.exe
File opened for modification	C:\WINDOWS\Cursors\Boom.vbs	system.exe
File created	C:\WINDOWS\Fonts\wav.wav	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
File created	C:\WINDOWS\Fonts\tskmgr.exe	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
File created	C:\WINDOWS\Help\microsoft.hlp	system.exe
File created	C:\WINDOWS\Media\rndll32.pif	system.exe
File created	C:\WINDOWS\Fonts\Fonts.exe	system.exe
File created	C:\WINDOWS\Fonts\Fonts.exe	system.exe
File created	C:\WINDOWS\pchealth\Global.exe	system.exe
File created	C:\WINDOWS\system\KEYBOARD.exe	system.exe
File created	C:\WINDOWS\Media\rndll32.pif	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
File created	C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com	svchost.exe
File created	C:\WINDOWS\system\KEYBOARD.exe	svchost.exe
File created	C:\WINDOWS\Help\microsoft.hlp	svchost.exe
File created	C:\WINDOWS\pchealth\Global.exe	system.exe
File created	C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com	system.exe
File created	C:\WINDOWS\Fonts\Fonts.exe	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
File created	C:\WINDOWS\Help\microsoft.hlp	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
File created	C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com	Global.exe
File created	C:\WINDOWS\pchealth\Global.exe	svchost.exe
File created	C:\WINDOWS\Fonts\tskmgr.exe	svchost.exe
File opened for modification	C:\WINDOWS\Help\microsoft.hlp	Global.exe
File created	C:\WINDOWS\Cursors\Boom.vbs	Global.exe
File opened for modification	C:\WINDOWS\Cursors\Boom.vbs	Global.exe
File opened for modification	C:\WINDOWS\Fonts\wav.wav	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
File created	C:\WINDOWS\pchealth\Global.exe	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
File created	C:\WINDOWS\system\KEYBOARD.exe	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
File opened for modification	C:\WINDOWS\Fonts\Fonts.exe	Global.exe
File opened for modification	C:\WINDOWS\system\KEYBOARD.exe	Global.exe
File created	C:\WINDOWS\Media\rndll32.pif	system.exe
File created	C:\WINDOWS\Cursors\Boom.vbs	system.exe
File created	C:\Windows\e57bcd8	svchost.exe
File created	C:\WINDOWS\system\KEYBOARD.exe	system.exe
File created	C:\WINDOWS\Fonts\tskmgr.exe	system.exe
File created	C:\WINDOWS\Cursors\Boom.vbs	system.exe
File created	C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com	system.exe
File created	C:\Windows\e578df8	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
File created	C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Global.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe

Modifies Control Panel 20 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ScreenSaveTimeOut = "30"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ScreenSaveTimeOut = "30"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\AutoEndTasks = "1"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\AutoEndTasks = "1"	Global.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ScreenSaveTimeOut = "30"	Global.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\AutoEndTasks = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop	Global.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ScreenSaveTimeOut = "30"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\AutoEndTasks = "1"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	Global.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\ScreenSaveTimeOut = "30"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\AutoEndTasks = "1"	system.exe

Modifies registry class 57 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Open\Command	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\Fonts\\Fonts.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Open\Command	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Open\Command	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\Fonts\\Fonts.exe"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\Fonts\\Fonts.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Open\Command	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Open\Command	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\Fonts\\Fonts.exe"	system.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command	Global.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\Fonts\\Fonts.exe"	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	svchost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
4304	svchost.exe
4304	svchost.exe
4304	svchost.exe
4304	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Token: SeDebugPrivilege	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
3008	Global.exe
4304	svchost.exe
5048	system.exe
2276	system.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 788	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe	8
PID 4192 wrote to memory of 792	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe	9
PID 4192 wrote to memory of 388	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe	13
PID 4192 wrote to memory of 2640	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe	44
PID 4192 wrote to memory of 2656	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe	45
PID 4192 wrote to memory of 2804	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe	47
PID 4192 wrote to memory of 3580	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe	56
PID 4192 wrote to memory of 3692	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe	57
PID 4192 wrote to memory of 3884	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe	58
PID 4192 wrote to memory of 4028	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe	59
PID 4192 wrote to memory of 956	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe	60
PID 4192 wrote to memory of 4224	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe	62
PID 4192 wrote to memory of 2312	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe	74
PID 4192 wrote to memory of 816	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe	76
PID 4192 wrote to memory of 3008	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe	82
PID 4192 wrote to memory of 3008	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe	82
PID 4192 wrote to memory of 3008	4192	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe	82
PID 3008 wrote to memory of 4304	3008	Global.exe	84
PID 3008 wrote to memory of 4304	3008	Global.exe	84
PID 3008 wrote to memory of 4304	3008	Global.exe	84
PID 4304 wrote to memory of 788	4304	svchost.exe	8
PID 4304 wrote to memory of 792	4304	svchost.exe	9
PID 4304 wrote to memory of 388	4304	svchost.exe	13
PID 4304 wrote to memory of 2640	4304	svchost.exe	44
PID 4304 wrote to memory of 2656	4304	svchost.exe	45
PID 4304 wrote to memory of 2804	4304	svchost.exe	47
PID 4304 wrote to memory of 3580	4304	svchost.exe	56
PID 4304 wrote to memory of 3692	4304	svchost.exe	57
PID 4304 wrote to memory of 3884	4304	svchost.exe	58
PID 4304 wrote to memory of 4028	4304	svchost.exe	59
PID 4304 wrote to memory of 956	4304	svchost.exe	60
PID 4304 wrote to memory of 4224	4304	svchost.exe	62
PID 4304 wrote to memory of 2312	4304	svchost.exe	74
PID 4304 wrote to memory of 816	4304	svchost.exe	76
PID 4304 wrote to memory of 3008	4304	svchost.exe	82
PID 4304 wrote to memory of 3008	4304	svchost.exe	82
PID 4304 wrote to memory of 5048	4304	svchost.exe	85
PID 4304 wrote to memory of 5048	4304	svchost.exe	85
PID 4304 wrote to memory of 5048	4304	svchost.exe	85
PID 4304 wrote to memory of 2276	4304	svchost.exe	86
PID 4304 wrote to memory of 2276	4304	svchost.exe	86
PID 4304 wrote to memory of 2276	4304	svchost.exe	86
PID 4304 wrote to memory of 788	4304	svchost.exe	8
PID 4304 wrote to memory of 792	4304	svchost.exe	9
PID 4304 wrote to memory of 388	4304	svchost.exe	13
PID 4304 wrote to memory of 2640	4304	svchost.exe	44
PID 4304 wrote to memory of 2656	4304	svchost.exe	45
PID 4304 wrote to memory of 2804	4304	svchost.exe	47
PID 4304 wrote to memory of 3580	4304	svchost.exe	56
PID 4304 wrote to memory of 3692	4304	svchost.exe	57
PID 4304 wrote to memory of 3884	4304	svchost.exe	58
PID 4304 wrote to memory of 4028	4304	svchost.exe	59
PID 4304 wrote to memory of 956	4304	svchost.exe	60
PID 4304 wrote to memory of 4224	4304	svchost.exe	62
PID 4304 wrote to memory of 2312	4304	svchost.exe	74
PID 4304 wrote to memory of 816	4304	svchost.exe	76
PID 4304 wrote to memory of 5048	4304	svchost.exe	85
PID 4304 wrote to memory of 5048	4304	svchost.exe	85
PID 4304 wrote to memory of 2276	4304	svchost.exe	86
PID 4304 wrote to memory of 2276	4304	svchost.exe	86

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableStatusMessages = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableStatusMessages = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Global.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableStatusMessages = "1"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableStatusMessages = "1"	cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableStatusMessages = "1"	Global.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:788

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:388

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2656

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2804

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3580
- C:\Users\Admin\AppData\Local\Temp\cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe
  "C:\Users\Admin\AppData\Local\Temp\cb84a75021e333ef54d13df9f2bdc1139dade0f1de92d46e30cd6738a6faf442.exe"
  2⤵
  - Modifies firewall policy service
  - UAC bypass
  - Windows security bypass
  - Adds policy Run key to start application
  - Drops file in Drivers directory
  - Event Triggered Execution: Image File Execution Options Injection
  - Checks computer location settings
  - Modifies system executable filetype association
  - Windows security modification
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4192
- - C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe
    "C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe"
    3⤵
    - Adds policy Run key to start application
    - Drops file in Drivers directory
    - Event Triggered Execution: Image File Execution Options Injection
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies Control Panel
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:3008
  - - C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe
      "C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe"
      4⤵
      Modifies firewall policy service
      UAC bypass
      Windows security bypass
      Adds policy Run key to start application
      Drops file in Drivers directory
      Event Triggered Execution: Image File Execution Options Injection
      Checks computer location settings
      Executes dropped EXE
      Modifies system executable filetype association
      Windows security modification
      Adds Run key to start application
      Checks whether UAC is enabled
      Enumerates connected drives
      Drops autorun.inf file
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4304
    - - C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
        
        "C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"
        5⤵
        Adds policy Run key to start application
        Drops file in Drivers directory
        Event Triggered Execution: Image File Execution Options Injection
        Executes dropped EXE
        Modifies system executable filetype association
        Adds Run key to start application
        Drops autorun.inf file
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies Control Panel
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:5048
    - - C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
        
        "C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"
        5⤵
        Adds policy Run key to start application
        Drops file in Drivers directory
        Event Triggered Execution: Image File Execution Options Injection
        Executes dropped EXE
        Modifies system executable filetype association
        Adds Run key to start application
        Drops autorun.inf file
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies Control Panel
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3692

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3884

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4028

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:956

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4224

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:2312

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:816

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery