stormkitty | 190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598

Analysis

max time kernel
150s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 19:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe
Size

558KB
MD5

f1be3a3edf5bf5e9343bd71cd39d6a1d
SHA1

9fe9268163a4aacf93f287c5ddfe6b79a44d0688
SHA256

190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598
SHA512

43fa1ed4a139141a5b3967fb22b1a55d8efe68df81815f839a7638962e017f4cb6db1ab7ccea27720034946c9423c4c15fa11709a05891de5ac2e3a91020e3e7
SSDEEP

12288:/m/Q6P8j/svm1TXI5tZByKLBwiZlzMB9xgndcP88DvvP:/0P8j/svqAOG6iZ2BLgndcE+vvP

Score

10^/10

stormkitty bootkit collection discovery persistence spyware stealer

Malware Config

Signatures

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1492-0-0x00000184F7C20000-0x00000184F7CB2000-memory.dmp	family_stormkitty
behavioral2/memory/1492-9-0x00000184F9B20000-0x00000184F9B76000-memory.dmp	family_stormkitty
C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe	family_stormkitty
behavioral2/memory/3084-178-0x0000000000340000-0x0000000000396000-memory.dmp	family_stormkitty

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exesvchost.exe

description pid process target process

PID 1492 created 612 1492 190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe winlogon.exe
PID 4416 created 3084 4416 svchost.exe w2rrbtsx.fwt.exe

description	pid	process	target process
PID 1492 created 612	1492	190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe	winlogon.exe
PID 4416 created 3084	4416	svchost.exe	w2rrbtsx.fwt.exe

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1492-0-0x00000184F7C20000-0x00000184F7CB2000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/1492-9-0x00000184F9B20000-0x00000184F9B76000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/3084-178-0x0000000000340000-0x0000000000396000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables containing bas64 encoded gzip files 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1492-0-0x00000184F7C20000-0x00000184F7CB2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
behavioral2/memory/1492-9-0x00000184F9B20000-0x00000184F9B76000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
behavioral2/memory/3084-178-0x0000000000340000-0x0000000000396000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File

Detects executables referencing Discord tokens regular expressions 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1492-0-0x00000184F7C20000-0x00000184F7CB2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex
behavioral2/memory/1492-9-0x00000184F9B20000-0x00000184F9B76000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex
C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe	INDICATOR_SUSPICIOUS_EXE_Discord_Regex
behavioral2/memory/3084-178-0x0000000000340000-0x0000000000396000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex

Detects executables referencing credit card regular expressions 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1492-0-0x00000184F7C20000-0x00000184F7CB2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_CC_Regex
behavioral2/memory/1492-9-0x00000184F9B20000-0x00000184F9B76000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_CC_Regex
C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe	INDICATOR_SUSPICIOUS_EXE_CC_Regex
behavioral2/memory/3084-178-0x0000000000340000-0x0000000000396000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_CC_Regex

Detects executables referencing many VPN software clients. Observed in infosteslers 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1492-0-0x00000184F7C20000-0x00000184F7CB2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_VPN
behavioral2/memory/1492-9-0x00000184F9B20000-0x00000184F9B76000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_VPN
C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe	INDICATOR_SUSPICIOUS_EXE_References_VPN
behavioral2/memory/3084-178-0x0000000000340000-0x0000000000396000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_VPN

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1492-0-0x00000184F7C20000-0x00000184F7CB2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/1492-9-0x00000184F9B20000-0x00000184F9B76000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/3084-178-0x0000000000340000-0x0000000000396000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1492-0-0x00000184F7C20000-0x00000184F7CB2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/1492-9-0x00000184F9B20000-0x00000184F9B76000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/3084-178-0x0000000000340000-0x0000000000396000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Detects executables using Telegram Chat Bot 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1492-0-0x00000184F7C20000-0x00000184F7CB2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
behavioral2/memory/1492-9-0x00000184F9B20000-0x00000184F9B76000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot
behavioral2/memory/3084-178-0x0000000000340000-0x0000000000396000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Sets service image path in registry 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

WaaSMedicAgent.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p" WaaSMedicAgent.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p"	WaaSMedicAgent.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe

Executes dropped EXE 1 IoCs

Processes:

w2rrbtsx.fwt.exe

pid process

3084 w2rrbtsx.fwt.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3084	w2rrbtsx.fwt.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

w2rrbtsx.fwt.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	w2rrbtsx.fwt.exe
Key opened	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	w2rrbtsx.fwt.exe
Key opened	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	w2rrbtsx.fwt.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 4 IoCs

Processes:

w2rrbtsx.fwt.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\BVRKIPTS\FileGrabber\Desktop\desktop.ini	w2rrbtsx.fwt.exe
File created	C:\Users\Admin\AppData\Roaming\BVRKIPTS\FileGrabber\Documents\desktop.ini	w2rrbtsx.fwt.exe
File created	C:\Users\Admin\AppData\Roaming\BVRKIPTS\FileGrabber\Downloads\desktop.ini	w2rrbtsx.fwt.exe
File created	C:\Users\Admin\AppData\Roaming\BVRKIPTS\FileGrabber\Pictures\desktop.ini	w2rrbtsx.fwt.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 freegeoip.app
8 api.ipify.org
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

wmiprvse.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 wmiprvse.exe

flow	ioc
3	freegeoip.app
8	api.ipify.org

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	wmiprvse.exe

Drops file in System32 directory 3 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe

description pid process target process

PID 1492 set thread context of 3304 1492 190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe dllhost.exe

description	pid	process	target process
PID 1492 set thread context of 3304	1492	190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe	dllhost.exe

Drops file in Windows directory 7 IoCs

Processes:

svchost.exeTrustedInstaller.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File created	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2620 3084 WerFault.exe w2rrbtsx.fwt.exe

pid	pid_target	process	target process
2620	3084	WerFault.exe	w2rrbtsx.fwt.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	svchost.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

w2rrbtsx.fwt.exewmiprvse.exesvchost.exeMusNotification.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	w2rrbtsx.fwt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	w2rrbtsx.fwt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotification.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotification.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

wmiprvse.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 53 IoCs

Processes:

WaaSMedicAgent.exeOfficeClickToRun.exesvchost.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

SCHTASKS.exeSCHTASKS.exe

pid process

2384 SCHTASKS.exe
228 SCHTASKS.exe

pid	process
2384	SCHTASKS.exe
228	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exedllhost.exew2rrbtsx.fwt.exe

pid	process
1492	190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3084	w2rrbtsx.fwt.exe
3084	w2rrbtsx.fwt.exe
3304	dllhost.exe
3304	dllhost.exe
3084	w2rrbtsx.fwt.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe
3304	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exedllhost.exew2rrbtsx.fwt.exeMusNotification.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1492	190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe
Token: SeDebugPrivilege	1492	190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe
Token: SeDebugPrivilege	3304	dllhost.exe
Token: SeDebugPrivilege	3084	w2rrbtsx.fwt.exe
Token: SeShutdownPrivilege	2936	MusNotification.exe
Token: SeCreatePagefilePrivilege	2936	MusNotification.exe
Token: SeAssignPrimaryTokenPrivilege	2220	svchost.exe
Token: SeIncreaseQuotaPrivilege	2220	svchost.exe
Token: SeSecurityPrivilege	2220	svchost.exe
Token: SeTakeOwnershipPrivilege	2220	svchost.exe
Token: SeLoadDriverPrivilege	2220	svchost.exe
Token: SeSystemtimePrivilege	2220	svchost.exe
Token: SeBackupPrivilege	2220	svchost.exe
Token: SeRestorePrivilege	2220	svchost.exe
Token: SeShutdownPrivilege	2220	svchost.exe
Token: SeSystemEnvironmentPrivilege	2220	svchost.exe
Token: SeUndockPrivilege	2220	svchost.exe
Token: SeManageVolumePrivilege	2220	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2220	svchost.exe
Token: SeIncreaseQuotaPrivilege	2220	svchost.exe
Token: SeSecurityPrivilege	2220	svchost.exe
Token: SeTakeOwnershipPrivilege	2220	svchost.exe
Token: SeLoadDriverPrivilege	2220	svchost.exe
Token: SeSystemtimePrivilege	2220	svchost.exe
Token: SeBackupPrivilege	2220	svchost.exe
Token: SeRestorePrivilege	2220	svchost.exe
Token: SeShutdownPrivilege	2220	svchost.exe
Token: SeSystemEnvironmentPrivilege	2220	svchost.exe
Token: SeUndockPrivilege	2220	svchost.exe
Token: SeManageVolumePrivilege	2220	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2220	svchost.exe
Token: SeIncreaseQuotaPrivilege	2220	svchost.exe
Token: SeSecurityPrivilege	2220	svchost.exe
Token: SeTakeOwnershipPrivilege	2220	svchost.exe
Token: SeLoadDriverPrivilege	2220	svchost.exe
Token: SeSystemtimePrivilege	2220	svchost.exe
Token: SeBackupPrivilege	2220	svchost.exe
Token: SeRestorePrivilege	2220	svchost.exe
Token: SeShutdownPrivilege	2220	svchost.exe
Token: SeSystemEnvironmentPrivilege	2220	svchost.exe
Token: SeUndockPrivilege	2220	svchost.exe
Token: SeManageVolumePrivilege	2220	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2220	svchost.exe
Token: SeIncreaseQuotaPrivilege	2220	svchost.exe
Token: SeSecurityPrivilege	2220	svchost.exe
Token: SeTakeOwnershipPrivilege	2220	svchost.exe
Token: SeLoadDriverPrivilege	2220	svchost.exe
Token: SeSystemtimePrivilege	2220	svchost.exe
Token: SeBackupPrivilege	2220	svchost.exe
Token: SeRestorePrivilege	2220	svchost.exe
Token: SeShutdownPrivilege	2220	svchost.exe
Token: SeSystemEnvironmentPrivilege	2220	svchost.exe
Token: SeUndockPrivilege	2220	svchost.exe
Token: SeManageVolumePrivilege	2220	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2220	svchost.exe
Token: SeIncreaseQuotaPrivilege	2220	svchost.exe
Token: SeSecurityPrivilege	2220	svchost.exe
Token: SeTakeOwnershipPrivilege	2220	svchost.exe
Token: SeLoadDriverPrivilege	2220	svchost.exe
Token: SeSystemtimePrivilege	2220	svchost.exe
Token: SeBackupPrivilege	2220	svchost.exe
Token: SeRestorePrivilege	2220	svchost.exe
Token: SeShutdownPrivilege	2220	svchost.exe
Token: SeSystemEnvironmentPrivilege	2220	svchost.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Explorer.EXE

pid process

3564 Explorer.EXE
3564 Explorer.EXE
3564 Explorer.EXE
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Explorer.EXE

pid process

3564 Explorer.EXE
3564 Explorer.EXE
3564 Explorer.EXE

pid	process
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE

pid	process
3564	Explorer.EXE
3564	Explorer.EXE
3564	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exedllhost.exelsass.exe

description	pid	process	target process
PID 1492 wrote to memory of 3304	1492	190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe	dllhost.exe
PID 1492 wrote to memory of 3304	1492	190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe	dllhost.exe
PID 1492 wrote to memory of 3304	1492	190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe	dllhost.exe
PID 1492 wrote to memory of 3304	1492	190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe	dllhost.exe
PID 1492 wrote to memory of 3304	1492	190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe	dllhost.exe
PID 1492 wrote to memory of 3304	1492	190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe	dllhost.exe
PID 1492 wrote to memory of 3304	1492	190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe	dllhost.exe
PID 1492 wrote to memory of 3304	1492	190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe	dllhost.exe
PID 1492 wrote to memory of 3304	1492	190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe	dllhost.exe
PID 1492 wrote to memory of 3304	1492	190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe	dllhost.exe
PID 1492 wrote to memory of 3304	1492	190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe	dllhost.exe
PID 1492 wrote to memory of 2384	1492	190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe	SCHTASKS.exe
PID 1492 wrote to memory of 2384	1492	190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe	SCHTASKS.exe
PID 1492 wrote to memory of 228	1492	190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe	SCHTASKS.exe
PID 1492 wrote to memory of 228	1492	190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe	SCHTASKS.exe
PID 3304 wrote to memory of 612	3304	dllhost.exe	winlogon.exe
PID 3304 wrote to memory of 680	3304	dllhost.exe	lsass.exe
PID 3304 wrote to memory of 956	3304	dllhost.exe	svchost.exe
PID 3304 wrote to memory of 316	3304	dllhost.exe	dwm.exe
PID 1492 wrote to memory of 3084	1492	190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe	w2rrbtsx.fwt.exe
PID 1492 wrote to memory of 3084	1492	190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe	w2rrbtsx.fwt.exe
PID 1492 wrote to memory of 3084	1492	190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe	w2rrbtsx.fwt.exe
PID 680 wrote to memory of 2812	680	lsass.exe	sysmon.exe
PID 3304 wrote to memory of 388	3304	dllhost.exe	svchost.exe
PID 3304 wrote to memory of 512	3304	dllhost.exe	svchost.exe
PID 3304 wrote to memory of 1120	3304	dllhost.exe	svchost.exe
PID 3304 wrote to memory of 1128	3304	dllhost.exe	svchost.exe
PID 3304 wrote to memory of 1136	3304	dllhost.exe	svchost.exe
PID 3304 wrote to memory of 1208	3304	dllhost.exe	svchost.exe
PID 3304 wrote to memory of 1216	3304	dllhost.exe	svchost.exe
PID 3304 wrote to memory of 1316	3304	dllhost.exe	svchost.exe
PID 3304 wrote to memory of 1344	3304	dllhost.exe	svchost.exe
PID 3304 wrote to memory of 1396	3304	dllhost.exe	svchost.exe
PID 3304 wrote to memory of 1456	3304	dllhost.exe	svchost.exe
PID 3304 wrote to memory of 1564	3304	dllhost.exe	svchost.exe
PID 3304 wrote to memory of 1572	3304	dllhost.exe	svchost.exe
PID 3304 wrote to memory of 1644	3304	dllhost.exe	svchost.exe
PID 3304 wrote to memory of 1696	3304	dllhost.exe	svchost.exe
PID 3304 wrote to memory of 1740	3304	dllhost.exe	svchost.exe
PID 3304 wrote to memory of 1768	3304	dllhost.exe	svchost.exe
PID 3304 wrote to memory of 1820	3304	dllhost.exe	svchost.exe
PID 3304 wrote to memory of 1868	3304	dllhost.exe	svchost.exe
PID 3304 wrote to memory of 1876	3304	dllhost.exe	svchost.exe
PID 3304 wrote to memory of 1940	3304	dllhost.exe	svchost.exe
PID 3304 wrote to memory of 2032	3304	dllhost.exe	svchost.exe
PID 3304 wrote to memory of 2040	3304	dllhost.exe	spoolsv.exe
PID 3304 wrote to memory of 2116	3304	dllhost.exe	svchost.exe
PID 3304 wrote to memory of 2220	3304	dllhost.exe	svchost.exe
PID 3304 wrote to memory of 2256	3304	dllhost.exe	svchost.exe
PID 3304 wrote to memory of 2460	3304	dllhost.exe	svchost.exe
PID 3304 wrote to memory of 2468	3304	dllhost.exe	svchost.exe
PID 3304 wrote to memory of 2612	3304	dllhost.exe	sihost.exe
PID 3304 wrote to memory of 2628	3304	dllhost.exe	svchost.exe
PID 3304 wrote to memory of 2672	3304	dllhost.exe	svchost.exe
PID 3304 wrote to memory of 2752	3304	dllhost.exe	svchost.exe
PID 3304 wrote to memory of 2812	3304	dllhost.exe	sysmon.exe
PID 3304 wrote to memory of 2828	3304	dllhost.exe	svchost.exe
PID 3304 wrote to memory of 2836	3304	dllhost.exe	svchost.exe
PID 3304 wrote to memory of 2900	3304	dllhost.exe	taskhostw.exe
PID 3304 wrote to memory of 3108	3304	dllhost.exe	svchost.exe
PID 3304 wrote to memory of 3196	3304	dllhost.exe	unsecapp.exe
PID 3304 wrote to memory of 3468	3304	dllhost.exe	svchost.exe
PID 3304 wrote to memory of 3564	3304	dllhost.exe	Explorer.EXE
PID 3304 wrote to memory of 3664	3304	dllhost.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
outlook_office_path 1 IoCs

Processes:

w2rrbtsx.fwt.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 w2rrbtsx.fwt.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	w2rrbtsx.fwt.exe

outlook_win_path 1 IoCs

Processes:

w2rrbtsx.fwt.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	w2rrbtsx.fwt.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:316

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{ca473c97-53e8-4289-a4de-be80084ce6a9}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3304

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:388

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1128

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2900

C:\Windows\system32\MusNotification.exe
C:\Windows\system32\MusNotification.exe
2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1208

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1396

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1572

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2032

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
PID:2752

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3108

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3468

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3564

C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe
"C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SYSTEM32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe'" /sc onlogon /rl HIGHEST
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\SYSTEM32\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe'" /sc onlogon /rl HIGHEST
3⤵
- Scheduled Task/Job: Scheduled Task
PID:228

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe
"C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 1920
4⤵
- Program crash
PID:2620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3664

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3868

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4024

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4124

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2352

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4748

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:1836

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4824

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2380

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:620

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Enumerates system info in registry
PID:4372

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 9989a1bd24df04ea34b3971146260db8 z1Dd6F96eUKtxFo4ElqgSA.0.1.0.0.0
1⤵
- Sets service image path in registry
- Modifies data under HKEY_USERS
PID:4720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
2⤵
PID:1636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3084 -ip 3084
2⤵
PID:4948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:4276

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Drops file in Windows directory
PID:1716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Checks processor information in registry
PID:4608

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Pre-OS Boot

Bootkit

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe
Filesize
320KB

MD5
0c38328646ce9eb5988a812b1de11b4d

SHA1
e018f0e0be3556a751920817d376215bbcab0233

SHA256
e04a9860f23388f7a72ba6ba79837c98d8c30647860ad73bdae5c597948d8178

SHA512
9834c67b68d0f96e2a0f5a3206367223899fbaeda3ab1f10100b567bbdc4a5121af82941d694af283363638d285e7913917d1702827a624d761c5b8d3c50c179

Download Submit
C:\Users\Admin\AppData\Roaming\BVRKIPTS\Browsers\Firefox\Bookmarks.txt
Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
memory/316-400-0x000001D0F0AC0000-0x000001D0F0AEA000-memory.dmp

Filesize
168KB

Download
memory/316-42-0x000001D0F0AC0000-0x000001D0F0AEA000-memory.dmp

Filesize
168KB

Download
memory/316-33-0x000001D0F0AC0000-0x000001D0F0AEA000-memory.dmp

Filesize
168KB

Download
memory/316-34-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmp

Filesize
64KB

Download
memory/388-176-0x00000205C32D0000-0x00000205C32FA000-memory.dmp

Filesize
168KB

Download
memory/388-51-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmp

Filesize
64KB

Download
memory/388-50-0x00000205C32D0000-0x00000205C32FA000-memory.dmp

Filesize
168KB

Download
memory/512-55-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmp

Filesize
64KB

Download
memory/512-177-0x000002678C9D0000-0x000002678C9FA000-memory.dmp

Filesize
168KB

Download
memory/512-54-0x000002678C9D0000-0x000002678C9FA000-memory.dmp

Filesize
168KB

Download
memory/612-23-0x000001C014F70000-0x000001C014F93000-memory.dmp

Filesize
140KB

Download
memory/612-39-0x000001C015010000-0x000001C01503A000-memory.dmp

Filesize
168KB

Download
memory/612-40-0x00007FF8CF8ED000-0x00007FF8CF8EE000-memory.dmp

Filesize
4KB

Download
memory/612-24-0x000001C015010000-0x000001C01503A000-memory.dmp

Filesize
168KB

Download
memory/612-25-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmp

Filesize
64KB

Download
memory/612-398-0x000001C015010000-0x000001C01503A000-memory.dmp

Filesize
168KB

Download
memory/680-41-0x000001808DAB0000-0x000001808DADA000-memory.dmp

Filesize
168KB

Download
memory/680-29-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmp

Filesize
64KB

Download
memory/680-28-0x000001808DAB0000-0x000001808DADA000-memory.dmp

Filesize
168KB

Download
memory/680-399-0x000001808DAB0000-0x000001808DADA000-memory.dmp

Filesize
168KB

Download
memory/956-37-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmp

Filesize
64KB

Download
memory/956-44-0x00007FF8CF8EC000-0x00007FF8CF8ED000-memory.dmp

Filesize
4KB

Download
memory/956-43-0x0000020E8AED0000-0x0000020E8AEFA000-memory.dmp

Filesize
168KB

Download
memory/956-401-0x0000020E8AED0000-0x0000020E8AEFA000-memory.dmp

Filesize
168KB

Download
memory/956-36-0x0000020E8AED0000-0x0000020E8AEFA000-memory.dmp

Filesize
168KB

Download
memory/1120-61-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmp

Filesize
64KB

Download
memory/1120-179-0x000001CDB6360000-0x000001CDB638A000-memory.dmp

Filesize
168KB

Download
memory/1120-60-0x000001CDB6360000-0x000001CDB638A000-memory.dmp

Filesize
168KB

Download
memory/1128-63-0x0000015065B40000-0x0000015065B6A000-memory.dmp

Filesize
168KB

Download
memory/1128-64-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmp

Filesize
64KB

Download
memory/1136-66-0x00000217174B0000-0x00000217174DA000-memory.dmp

Filesize
168KB

Download
memory/1136-67-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmp

Filesize
64KB

Download
memory/1208-71-0x000001F2FA330000-0x000001F2FA35A000-memory.dmp

Filesize
168KB

Download
memory/1208-72-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmp

Filesize
64KB

Download
memory/1216-74-0x000001B99A630000-0x000001B99A65A000-memory.dmp

Filesize
168KB

Download
memory/1216-75-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmp

Filesize
64KB

Download
memory/1492-3-0x00007FF8CF850000-0x00007FF8CFA45000-memory.dmp

Filesize
2.0MB

Download
memory/1492-154-0x00007FF8B17D0000-0x00007FF8B2291000-memory.dmp

Filesize
10.8MB

Download
memory/1492-0-0x00000184F7C20000-0x00000184F7CB2000-memory.dmp

Filesize
584KB

Download
memory/1492-4-0x00007FF8CF450000-0x00007FF8CF50E000-memory.dmp

Filesize
760KB

Download
memory/1492-1-0x00000184F8050000-0x00000184F808E000-memory.dmp

Filesize
248KB

Download
memory/1492-9-0x00000184F9B20000-0x00000184F9B76000-memory.dmp

Filesize
344KB

Download
memory/1492-2-0x00007FF8B17D3000-0x00007FF8B17D5000-memory.dmp

Filesize
8KB

Download
memory/1492-11-0x00007FF8B17D0000-0x00007FF8B2291000-memory.dmp

Filesize
10.8MB

Download
memory/3084-304-0x0000000005E30000-0x0000000005EC2000-memory.dmp

Filesize
584KB

Download
memory/3084-305-0x0000000006480000-0x0000000006A24000-memory.dmp

Filesize
5.6MB

Download
memory/3084-307-0x0000000006300000-0x0000000006366000-memory.dmp

Filesize
408KB

Download
memory/3084-178-0x0000000000340000-0x0000000000396000-memory.dmp

Filesize
344KB

Download
memory/3304-12-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3304-10-0x00007FF8CF450000-0x00007FF8CF50E000-memory.dmp

Filesize
760KB

Download
memory/3304-8-0x00007FF8CF850000-0x00007FF8CFA45000-memory.dmp

Filesize
2.0MB

Download
memory/3304-5-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3304-6-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3304-7-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download