14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

System Information Discovery

description	ioc	pid	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	3712	WerFault.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	3712	WerFault.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	4524	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	4524	svchost.exe

Checks processor information in registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	pid	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	3712	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	3712	WerFault.exe

Checks processor name in registry (likely anti-VM) 2 TTPs 1 IoCs

Query Registry

System Information Discovery

description	ioc	pid	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3712	WerFault.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3712	WerFault.exe
4500	svchost.exe

Checks SCSI registry key(s) (likely anti-VM) 3 TTPs 12 IoCs

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	pid	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000	4684	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID	4684	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\CompatibleIDs	4684	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000	4684	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID	4684	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs	4684	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000	4340	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID	4340	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\CompatibleIDs	4340	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000	4340	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID	4340	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs	4340	svchost.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

description	ioc	pid	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	3712	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	3712	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	3712	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	3712	WerFault.exe

Modifies service 2 TTPs 1 IoCs

persistence

Modify Registry

description	ioc	pid	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BITS\Performance\PerfMMFileName = "Global\\MMF_BITSa9c049ce-0b1c-48e4-ad55-dab8ee12ba37"	4124	svchost.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Modify Registry

description	ioc	pid	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0"	4732	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1"	4732	svchost.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4500 created 3980	4500	svchost.exe	78

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	3712	WerFault.exe
Token: SeBackupPrivilege	3712	WerFault.exe
Token: SeDebugPrivilege	3712	WerFault.exe
Token: SeSystemEnvironmentPrivilege	4340	svchost.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Modify Registry

description	ioc	pid	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\0217922CA1B6F0BD0F1D7FF6E7BDC29B2FAAA060	4684	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\0217922CA1B6F0BD0F1D7FF6E7BDC29B2FAAA060\Blob = 0300000001000000140000000217922ca1b6f0bd0f1d7ff6e7bdc29b2faaa06020000000010000001e0300003082031a308202daa003020102020900bebbcc34c2a99a43300906072a8648ce38040330233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579301e170d3133303730323231313033375a170d3138303730313231313033375a30233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579308201b63082012b06072a8648ce3804013082011e02818100f3e2f36f1d350881275aa7c5f7e8c357a650ef20dc32b53ca779842dcbfc152228c1e764019c55ca7bf8a0116ccca93636dc681161c8188f79f985cce6b1a8aaf44dffd3ea6c2d60fd80eefd084c4a09c4b9784cf3ccf638ca8cca937fbaee6d472cad4ee2d5ddda4e653184e512d9846c770abdc5e4945ce5686c513bf38f150215009fd788154563df5ca8c78a354278fc70394e37fb0281803a769d0b37f784c6f1af668ffa7b2d0b53debfac0e64db8244f4c1793e9e34cac020047d3df0563ddefd171ab2fd6af49f7d3616c285cc422590c3a6f0cae0dd3987c3f310a5efe0f127f406416e983ec649e835e1006e2fccf48474b90e82cb67cb62608ed42f2ec45b71803d63dbd63101b8a490fd1ab091976ef4bb176a65038184000281806ed2b8b1d12b8846c32236833769cb554bcd3809bfd684c8bdacfb500ca500327185560ccc83d9ae13580fa72aa9fd36eccaa9fd79861245cc591b4e7dcf047847e82d5946829638473927236142f9aa5d99ec33714677492e39784264f486ada6b028837db599a58e512e376c52470b1cb8991793783499e772de6678db2be3a38198308195301d0603551d0e0416041446d2c25b3e033423792e171c0019284c71102b6430530603551d23044c304a801446d2c25b3e033423792e171c0019284c71102b64a127a42530233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579820900bebbcc34c2a99a4330120603551d130101ff040830060101ff020100300b0603551d0f0404030201c6300906072a8648ce380403032f00302c02140b7937349b7de4b8750855cd40ef4bbb2d3145a9021417408a13071294c11b2c9e5195e411eb86a54864	4684	svchost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\2C85006A1A028BCC349DF23C474724C055FDE8B6	4684	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\2C85006A1A028BCC349DF23C474724C055FDE8B6\Blob = 0300000001000000140000002c85006a1a028bcc349df23c474724c055fde8b620000000010000001f0300003082031b308202dba003020102020900bea900b78b6470ef300906072a8648ce38040330233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579301e170d3136303530393230343035355a170d3231303530383230343035355a30233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579308201b73082012c06072a8648ce3804013082011f02818100a9a733a14a9c9d68b075811ddf231c514c0cdc328087287fd11f1d6eb125b536b88cd5579591bb6e7545b45b98eaa8cdeb0ae38be4781c7d36d97b3d2bb45b9449142130f68e112c6d09e343160cd0d0fbb8aabc8b0cea5b2066b0e3368589dadfd8ae79e9d2bdc5f5836d8fb278be02c260d3a592bda471f1a28e2f925e8b57021500a86236ce56c046d8f3fac8a6bb63e28543e45753028181009eb2085cfbe32af5a25dddeebdeede0d2f2a4475bbca802c7952e078421b4b85528fff6242aba7c75c1e40695db3be422d982972b638679c1b9314a39cad44577d2a71ee3e5738176062d9200be5efcc1b00c16b1b48e8b1771c01b9aa54ce0b5f6679caed531293d92ef822695e20264e23b188489ea3e6dc1c36a90fa0668903818400028180168cdc3d074cf4c9accef116317b85adf100f2454c9ca23203ad296928bb08879c48096c44bcb0dc3f49f69456e871dd45980eacabe735c63ade0281e7a48aca3eabde71aab64c04a6ef72c352be936692c8970a3c7615370d549b931c289810278f5284914f6965df0d93ce0a980ca5dce26e75a331c4da939af3e051d252d3a38198308195301d0603551d0e04160414a353ea5503cd0a69c45870b6ffe3912091c79f7a30530603551d23044c304a8014a353ea5503cd0a69c45870b6ffe3912091c79f7aa127a42530233121301f06035504031318546f6b656e205369676e696e67205075626c6963204b6579820900bea900b78b6470ef30120603551d130101ff040830060101ff020100300b0603551d0f0404030201c6300906072a8648ce380403032f00302c021468e7a7cdfca81ff04d476fa11b781b7696d1fbf402145ef1c64374ebde4c309b59a9deeb99e556fd1477	4684	svchost.exe

C:\Users\Admin\AppData\Local\Temp\14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e.exe
"C:\Users\Admin\AppData\Local\Temp\14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:5088

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
1⤵
PID:5116

C:\Users\Admin\AppData\Local\Temp\14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e.exe
"C:\Users\Admin\AppData\Local\Temp\14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e.exe" --Admin
1⤵
- Suspicious use of WriteProcessMemory
PID:2108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc
1⤵
PID:1060

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
1⤵
PID:3980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 668
1⤵
- Program crash
- Checks system information in the registry (likely anti-VM)
- Checks processor information in registry (likely anti-VM)
- Checks processor name in registry (likely anti-VM)
- Suspicious behavior: EnumeratesProcesses
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3712

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s WdiSystemHost
1⤵
PID:4628

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
- Checks SCSI registry key(s) (likely anti-VM)
- Modifies system certificate store
PID:4684

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k wsappx -s ClipSVC
1⤵
- Checks SCSI registry key(s) (likely anti-VM)
- Suspicious use of AdjustPrivilegeToken
PID:4340

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wisvc
1⤵
PID:4220

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Drops file in system dir
- Modifies service
PID:4124

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4112

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
1⤵
- Checks system information in the registry (likely anti-VM)
PID:4524

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
1⤵
- Windows security modification
PID:4732

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup
1⤵
PID:4236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

3

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

5