Analysis
-
max time kernel
150s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 19:11
Behavioral task
behavioral1
Sample
190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe
Resource
win10v2004-20240508-en
General
-
Target
190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe
-
Size
558KB
-
MD5
f1be3a3edf5bf5e9343bd71cd39d6a1d
-
SHA1
9fe9268163a4aacf93f287c5ddfe6b79a44d0688
-
SHA256
190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598
-
SHA512
43fa1ed4a139141a5b3967fb22b1a55d8efe68df81815f839a7638962e017f4cb6db1ab7ccea27720034946c9423c4c15fa11709a05891de5ac2e3a91020e3e7
-
SSDEEP
12288:/m/Q6P8j/svm1TXI5tZByKLBwiZlzMB9xgndcP88DvvP:/0P8j/svqAOG6iZ2BLgndcE+vvP
Malware Config
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1492-0-0x00000184F7C20000-0x00000184F7CB2000-memory.dmp family_stormkitty behavioral2/memory/1492-9-0x00000184F9B20000-0x00000184F9B76000-memory.dmp family_stormkitty C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe family_stormkitty behavioral2/memory/3084-178-0x0000000000340000-0x0000000000396000-memory.dmp family_stormkitty -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exesvchost.exedescription pid process target process PID 1492 created 612 1492 190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe winlogon.exe PID 4416 created 3084 4416 svchost.exe w2rrbtsx.fwt.exe -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1492-0-0x00000184F7C20000-0x00000184F7CB2000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/1492-9-0x00000184F9B20000-0x00000184F9B76000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/3084-178-0x0000000000340000-0x0000000000396000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables containing bas64 encoded gzip files 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1492-0-0x00000184F7C20000-0x00000184F7CB2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File behavioral2/memory/1492-9-0x00000184F9B20000-0x00000184F9B76000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File behavioral2/memory/3084-178-0x0000000000340000-0x0000000000396000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File -
Detects executables referencing Discord tokens regular expressions 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1492-0-0x00000184F7C20000-0x00000184F7CB2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Discord_Regex behavioral2/memory/1492-9-0x00000184F9B20000-0x00000184F9B76000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Discord_Regex C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe INDICATOR_SUSPICIOUS_EXE_Discord_Regex behavioral2/memory/3084-178-0x0000000000340000-0x0000000000396000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Discord_Regex -
Detects executables referencing credit card regular expressions 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1492-0-0x00000184F7C20000-0x00000184F7CB2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_CC_Regex behavioral2/memory/1492-9-0x00000184F9B20000-0x00000184F9B76000-memory.dmp INDICATOR_SUSPICIOUS_EXE_CC_Regex C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe INDICATOR_SUSPICIOUS_EXE_CC_Regex behavioral2/memory/3084-178-0x0000000000340000-0x0000000000396000-memory.dmp INDICATOR_SUSPICIOUS_EXE_CC_Regex -
Detects executables referencing many VPN software clients. Observed in infosteslers 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1492-0-0x00000184F7C20000-0x00000184F7CB2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_VPN behavioral2/memory/1492-9-0x00000184F9B20000-0x00000184F9B76000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_VPN C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe INDICATOR_SUSPICIOUS_EXE_References_VPN behavioral2/memory/3084-178-0x0000000000340000-0x0000000000396000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_VPN -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1492-0-0x00000184F7C20000-0x00000184F7CB2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/1492-9-0x00000184F9B20000-0x00000184F9B76000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/3084-178-0x0000000000340000-0x0000000000396000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1492-0-0x00000184F7C20000-0x00000184F7CB2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/1492-9-0x00000184F9B20000-0x00000184F9B76000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/3084-178-0x0000000000340000-0x0000000000396000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables using Telegram Chat Bot 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1492-0-0x00000184F7C20000-0x00000184F7CB2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TelegramChatBot behavioral2/memory/1492-9-0x00000184F9B20000-0x00000184F9B76000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TelegramChatBot C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe INDICATOR_SUSPICIOUS_EXE_TelegramChatBot behavioral2/memory/3084-178-0x0000000000340000-0x0000000000396000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TelegramChatBot -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
WaaSMedicAgent.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p" WaaSMedicAgent.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe -
Executes dropped EXE 1 IoCs
Processes:
w2rrbtsx.fwt.exepid process 3084 w2rrbtsx.fwt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
w2rrbtsx.fwt.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 w2rrbtsx.fwt.exe Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 w2rrbtsx.fwt.exe Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 w2rrbtsx.fwt.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 4 IoCs
Processes:
w2rrbtsx.fwt.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\BVRKIPTS\FileGrabber\Desktop\desktop.ini w2rrbtsx.fwt.exe File created C:\Users\Admin\AppData\Roaming\BVRKIPTS\FileGrabber\Documents\desktop.ini w2rrbtsx.fwt.exe File created C:\Users\Admin\AppData\Roaming\BVRKIPTS\FileGrabber\Downloads\desktop.ini w2rrbtsx.fwt.exe File created C:\Users\Admin\AppData\Roaming\BVRKIPTS\FileGrabber\Pictures\desktop.ini w2rrbtsx.fwt.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exedescription ioc process File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\A: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\E: svchost.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 freegeoip.app 8 api.ipify.org -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
wmiprvse.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 wmiprvse.exe -
Drops file in System32 directory 3 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exedescription pid process target process PID 1492 set thread context of 3304 1492 190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe dllhost.exe -
Drops file in Windows directory 7 IoCs
Processes:
svchost.exeTrustedInstaller.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File created C:\Windows\Logs\CBS\CBS.log TrustedInstaller.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TrustedInstaller.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2620 3084 WerFault.exe w2rrbtsx.fwt.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs svchost.exe -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
w2rrbtsx.fwt.exewmiprvse.exesvchost.exeMusNotification.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 w2rrbtsx.fwt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier w2rrbtsx.fwt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotification.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotification.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wmiprvse.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe -
Modifies data under HKEY_USERS 53 IoCs
Processes:
WaaSMedicAgent.exeOfficeClickToRun.exesvchost.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
SCHTASKS.exeSCHTASKS.exepid process 2384 SCHTASKS.exe 228 SCHTASKS.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exedllhost.exew2rrbtsx.fwt.exepid process 1492 190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3084 w2rrbtsx.fwt.exe 3084 w2rrbtsx.fwt.exe 3304 dllhost.exe 3304 dllhost.exe 3084 w2rrbtsx.fwt.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe 3304 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exedllhost.exew2rrbtsx.fwt.exeMusNotification.exesvchost.exedescription pid process Token: SeDebugPrivilege 1492 190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe Token: SeDebugPrivilege 1492 190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe Token: SeDebugPrivilege 3304 dllhost.exe Token: SeDebugPrivilege 3084 w2rrbtsx.fwt.exe Token: SeShutdownPrivilege 2936 MusNotification.exe Token: SeCreatePagefilePrivilege 2936 MusNotification.exe Token: SeAssignPrimaryTokenPrivilege 2220 svchost.exe Token: SeIncreaseQuotaPrivilege 2220 svchost.exe Token: SeSecurityPrivilege 2220 svchost.exe Token: SeTakeOwnershipPrivilege 2220 svchost.exe Token: SeLoadDriverPrivilege 2220 svchost.exe Token: SeSystemtimePrivilege 2220 svchost.exe Token: SeBackupPrivilege 2220 svchost.exe Token: SeRestorePrivilege 2220 svchost.exe Token: SeShutdownPrivilege 2220 svchost.exe Token: SeSystemEnvironmentPrivilege 2220 svchost.exe Token: SeUndockPrivilege 2220 svchost.exe Token: SeManageVolumePrivilege 2220 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2220 svchost.exe Token: SeIncreaseQuotaPrivilege 2220 svchost.exe Token: SeSecurityPrivilege 2220 svchost.exe Token: SeTakeOwnershipPrivilege 2220 svchost.exe Token: SeLoadDriverPrivilege 2220 svchost.exe Token: SeSystemtimePrivilege 2220 svchost.exe Token: SeBackupPrivilege 2220 svchost.exe Token: SeRestorePrivilege 2220 svchost.exe Token: SeShutdownPrivilege 2220 svchost.exe Token: SeSystemEnvironmentPrivilege 2220 svchost.exe Token: SeUndockPrivilege 2220 svchost.exe Token: SeManageVolumePrivilege 2220 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2220 svchost.exe Token: SeIncreaseQuotaPrivilege 2220 svchost.exe Token: SeSecurityPrivilege 2220 svchost.exe Token: SeTakeOwnershipPrivilege 2220 svchost.exe Token: SeLoadDriverPrivilege 2220 svchost.exe Token: SeSystemtimePrivilege 2220 svchost.exe Token: SeBackupPrivilege 2220 svchost.exe Token: SeRestorePrivilege 2220 svchost.exe Token: SeShutdownPrivilege 2220 svchost.exe Token: SeSystemEnvironmentPrivilege 2220 svchost.exe Token: SeUndockPrivilege 2220 svchost.exe Token: SeManageVolumePrivilege 2220 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2220 svchost.exe Token: SeIncreaseQuotaPrivilege 2220 svchost.exe Token: SeSecurityPrivilege 2220 svchost.exe Token: SeTakeOwnershipPrivilege 2220 svchost.exe Token: SeLoadDriverPrivilege 2220 svchost.exe Token: SeSystemtimePrivilege 2220 svchost.exe Token: SeBackupPrivilege 2220 svchost.exe Token: SeRestorePrivilege 2220 svchost.exe Token: SeShutdownPrivilege 2220 svchost.exe Token: SeSystemEnvironmentPrivilege 2220 svchost.exe Token: SeUndockPrivilege 2220 svchost.exe Token: SeManageVolumePrivilege 2220 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2220 svchost.exe Token: SeIncreaseQuotaPrivilege 2220 svchost.exe Token: SeSecurityPrivilege 2220 svchost.exe Token: SeTakeOwnershipPrivilege 2220 svchost.exe Token: SeLoadDriverPrivilege 2220 svchost.exe Token: SeSystemtimePrivilege 2220 svchost.exe Token: SeBackupPrivilege 2220 svchost.exe Token: SeRestorePrivilege 2220 svchost.exe Token: SeShutdownPrivilege 2220 svchost.exe Token: SeSystemEnvironmentPrivilege 2220 svchost.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Explorer.EXEpid process 3564 Explorer.EXE 3564 Explorer.EXE 3564 Explorer.EXE -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Explorer.EXEpid process 3564 Explorer.EXE 3564 Explorer.EXE 3564 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exedllhost.exelsass.exedescription pid process target process PID 1492 wrote to memory of 3304 1492 190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe dllhost.exe PID 1492 wrote to memory of 3304 1492 190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe dllhost.exe PID 1492 wrote to memory of 3304 1492 190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe dllhost.exe PID 1492 wrote to memory of 3304 1492 190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe dllhost.exe PID 1492 wrote to memory of 3304 1492 190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe dllhost.exe PID 1492 wrote to memory of 3304 1492 190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe dllhost.exe PID 1492 wrote to memory of 3304 1492 190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe dllhost.exe PID 1492 wrote to memory of 3304 1492 190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe dllhost.exe PID 1492 wrote to memory of 3304 1492 190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe dllhost.exe PID 1492 wrote to memory of 3304 1492 190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe dllhost.exe PID 1492 wrote to memory of 3304 1492 190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe dllhost.exe PID 1492 wrote to memory of 2384 1492 190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe SCHTASKS.exe PID 1492 wrote to memory of 2384 1492 190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe SCHTASKS.exe PID 1492 wrote to memory of 228 1492 190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe SCHTASKS.exe PID 1492 wrote to memory of 228 1492 190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe SCHTASKS.exe PID 3304 wrote to memory of 612 3304 dllhost.exe winlogon.exe PID 3304 wrote to memory of 680 3304 dllhost.exe lsass.exe PID 3304 wrote to memory of 956 3304 dllhost.exe svchost.exe PID 3304 wrote to memory of 316 3304 dllhost.exe dwm.exe PID 1492 wrote to memory of 3084 1492 190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe w2rrbtsx.fwt.exe PID 1492 wrote to memory of 3084 1492 190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe w2rrbtsx.fwt.exe PID 1492 wrote to memory of 3084 1492 190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe w2rrbtsx.fwt.exe PID 680 wrote to memory of 2812 680 lsass.exe sysmon.exe PID 3304 wrote to memory of 388 3304 dllhost.exe svchost.exe PID 3304 wrote to memory of 512 3304 dllhost.exe svchost.exe PID 3304 wrote to memory of 1120 3304 dllhost.exe svchost.exe PID 3304 wrote to memory of 1128 3304 dllhost.exe svchost.exe PID 3304 wrote to memory of 1136 3304 dllhost.exe svchost.exe PID 3304 wrote to memory of 1208 3304 dllhost.exe svchost.exe PID 3304 wrote to memory of 1216 3304 dllhost.exe svchost.exe PID 3304 wrote to memory of 1316 3304 dllhost.exe svchost.exe PID 3304 wrote to memory of 1344 3304 dllhost.exe svchost.exe PID 3304 wrote to memory of 1396 3304 dllhost.exe svchost.exe PID 3304 wrote to memory of 1456 3304 dllhost.exe svchost.exe PID 3304 wrote to memory of 1564 3304 dllhost.exe svchost.exe PID 3304 wrote to memory of 1572 3304 dllhost.exe svchost.exe PID 3304 wrote to memory of 1644 3304 dllhost.exe svchost.exe PID 3304 wrote to memory of 1696 3304 dllhost.exe svchost.exe PID 3304 wrote to memory of 1740 3304 dllhost.exe svchost.exe PID 3304 wrote to memory of 1768 3304 dllhost.exe svchost.exe PID 3304 wrote to memory of 1820 3304 dllhost.exe svchost.exe PID 3304 wrote to memory of 1868 3304 dllhost.exe svchost.exe PID 3304 wrote to memory of 1876 3304 dllhost.exe svchost.exe PID 3304 wrote to memory of 1940 3304 dllhost.exe svchost.exe PID 3304 wrote to memory of 2032 3304 dllhost.exe svchost.exe PID 3304 wrote to memory of 2040 3304 dllhost.exe spoolsv.exe PID 3304 wrote to memory of 2116 3304 dllhost.exe svchost.exe PID 3304 wrote to memory of 2220 3304 dllhost.exe svchost.exe PID 3304 wrote to memory of 2256 3304 dllhost.exe svchost.exe PID 3304 wrote to memory of 2460 3304 dllhost.exe svchost.exe PID 3304 wrote to memory of 2468 3304 dllhost.exe svchost.exe PID 3304 wrote to memory of 2612 3304 dllhost.exe sihost.exe PID 3304 wrote to memory of 2628 3304 dllhost.exe svchost.exe PID 3304 wrote to memory of 2672 3304 dllhost.exe svchost.exe PID 3304 wrote to memory of 2752 3304 dllhost.exe svchost.exe PID 3304 wrote to memory of 2812 3304 dllhost.exe sysmon.exe PID 3304 wrote to memory of 2828 3304 dllhost.exe svchost.exe PID 3304 wrote to memory of 2836 3304 dllhost.exe svchost.exe PID 3304 wrote to memory of 2900 3304 dllhost.exe taskhostw.exe PID 3304 wrote to memory of 3108 3304 dllhost.exe svchost.exe PID 3304 wrote to memory of 3196 3304 dllhost.exe unsecapp.exe PID 3304 wrote to memory of 3468 3304 dllhost.exe svchost.exe PID 3304 wrote to memory of 3564 3304 dllhost.exe Explorer.EXE PID 3304 wrote to memory of 3664 3304 dllhost.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
Processes:
w2rrbtsx.fwt.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 w2rrbtsx.fwt.exe -
outlook_win_path 1 IoCs
Processes:
w2rrbtsx.fwt.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 w2rrbtsx.fwt.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{ca473c97-53e8-4289-a4de-be80084ce6a9}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Enumerates connected drives
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe"C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe'" /sc onlogon /rl HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SYSTEM32\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\190125d18f0c710d42a53fe230fa6e18568a35150ba34e6b880fd709f0a82598.exe'" /sc onlogon /rl HIGHEST3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe"C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 19204⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 9989a1bd24df04ea34b3971146260db8 z1Dd6F96eUKtxFo4ElqgSA.0.1.0.0.01⤵
- Sets service image path in registry
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3084 -ip 30842⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
- Drops file in Windows directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\w2rrbtsx.fwt.exeFilesize
320KB
MD50c38328646ce9eb5988a812b1de11b4d
SHA1e018f0e0be3556a751920817d376215bbcab0233
SHA256e04a9860f23388f7a72ba6ba79837c98d8c30647860ad73bdae5c597948d8178
SHA5129834c67b68d0f96e2a0f5a3206367223899fbaeda3ab1f10100b567bbdc4a5121af82941d694af283363638d285e7913917d1702827a624d761c5b8d3c50c179
-
C:\Users\Admin\AppData\Roaming\BVRKIPTS\Browsers\Firefox\Bookmarks.txtFilesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
memory/316-400-0x000001D0F0AC0000-0x000001D0F0AEA000-memory.dmpFilesize
168KB
-
memory/316-42-0x000001D0F0AC0000-0x000001D0F0AEA000-memory.dmpFilesize
168KB
-
memory/316-33-0x000001D0F0AC0000-0x000001D0F0AEA000-memory.dmpFilesize
168KB
-
memory/316-34-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmpFilesize
64KB
-
memory/388-176-0x00000205C32D0000-0x00000205C32FA000-memory.dmpFilesize
168KB
-
memory/388-51-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmpFilesize
64KB
-
memory/388-50-0x00000205C32D0000-0x00000205C32FA000-memory.dmpFilesize
168KB
-
memory/512-55-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmpFilesize
64KB
-
memory/512-177-0x000002678C9D0000-0x000002678C9FA000-memory.dmpFilesize
168KB
-
memory/512-54-0x000002678C9D0000-0x000002678C9FA000-memory.dmpFilesize
168KB
-
memory/612-23-0x000001C014F70000-0x000001C014F93000-memory.dmpFilesize
140KB
-
memory/612-39-0x000001C015010000-0x000001C01503A000-memory.dmpFilesize
168KB
-
memory/612-40-0x00007FF8CF8ED000-0x00007FF8CF8EE000-memory.dmpFilesize
4KB
-
memory/612-24-0x000001C015010000-0x000001C01503A000-memory.dmpFilesize
168KB
-
memory/612-25-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmpFilesize
64KB
-
memory/612-398-0x000001C015010000-0x000001C01503A000-memory.dmpFilesize
168KB
-
memory/680-41-0x000001808DAB0000-0x000001808DADA000-memory.dmpFilesize
168KB
-
memory/680-29-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmpFilesize
64KB
-
memory/680-28-0x000001808DAB0000-0x000001808DADA000-memory.dmpFilesize
168KB
-
memory/680-399-0x000001808DAB0000-0x000001808DADA000-memory.dmpFilesize
168KB
-
memory/956-37-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmpFilesize
64KB
-
memory/956-44-0x00007FF8CF8EC000-0x00007FF8CF8ED000-memory.dmpFilesize
4KB
-
memory/956-43-0x0000020E8AED0000-0x0000020E8AEFA000-memory.dmpFilesize
168KB
-
memory/956-401-0x0000020E8AED0000-0x0000020E8AEFA000-memory.dmpFilesize
168KB
-
memory/956-36-0x0000020E8AED0000-0x0000020E8AEFA000-memory.dmpFilesize
168KB
-
memory/1120-61-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmpFilesize
64KB
-
memory/1120-179-0x000001CDB6360000-0x000001CDB638A000-memory.dmpFilesize
168KB
-
memory/1120-60-0x000001CDB6360000-0x000001CDB638A000-memory.dmpFilesize
168KB
-
memory/1128-63-0x0000015065B40000-0x0000015065B6A000-memory.dmpFilesize
168KB
-
memory/1128-64-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmpFilesize
64KB
-
memory/1136-66-0x00000217174B0000-0x00000217174DA000-memory.dmpFilesize
168KB
-
memory/1136-67-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmpFilesize
64KB
-
memory/1208-71-0x000001F2FA330000-0x000001F2FA35A000-memory.dmpFilesize
168KB
-
memory/1208-72-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmpFilesize
64KB
-
memory/1216-74-0x000001B99A630000-0x000001B99A65A000-memory.dmpFilesize
168KB
-
memory/1216-75-0x00007FF88F8D0000-0x00007FF88F8E0000-memory.dmpFilesize
64KB
-
memory/1492-3-0x00007FF8CF850000-0x00007FF8CFA45000-memory.dmpFilesize
2.0MB
-
memory/1492-154-0x00007FF8B17D0000-0x00007FF8B2291000-memory.dmpFilesize
10.8MB
-
memory/1492-0-0x00000184F7C20000-0x00000184F7CB2000-memory.dmpFilesize
584KB
-
memory/1492-4-0x00007FF8CF450000-0x00007FF8CF50E000-memory.dmpFilesize
760KB
-
memory/1492-1-0x00000184F8050000-0x00000184F808E000-memory.dmpFilesize
248KB
-
memory/1492-9-0x00000184F9B20000-0x00000184F9B76000-memory.dmpFilesize
344KB
-
memory/1492-2-0x00007FF8B17D3000-0x00007FF8B17D5000-memory.dmpFilesize
8KB
-
memory/1492-11-0x00007FF8B17D0000-0x00007FF8B2291000-memory.dmpFilesize
10.8MB
-
memory/3084-304-0x0000000005E30000-0x0000000005EC2000-memory.dmpFilesize
584KB
-
memory/3084-305-0x0000000006480000-0x0000000006A24000-memory.dmpFilesize
5.6MB
-
memory/3084-307-0x0000000006300000-0x0000000006366000-memory.dmpFilesize
408KB
-
memory/3084-178-0x0000000000340000-0x0000000000396000-memory.dmpFilesize
344KB
-
memory/3304-12-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/3304-10-0x00007FF8CF450000-0x00007FF8CF50E000-memory.dmpFilesize
760KB
-
memory/3304-8-0x00007FF8CF850000-0x00007FF8CFA45000-memory.dmpFilesize
2.0MB
-
memory/3304-5-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/3304-6-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/3304-7-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB