3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e

Virtualization/Sandbox Evasion

Processes:

3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exeIsass.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Isass.exe

Executes dropped EXE 1 IoCs

Processes:

Isass.exe

pid process

1176 Isass.exe

pid	process
1176	Isass.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

Processes:

3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exeIsass.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Isass.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Isass.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1416 cmd.exe
Drops startup file 1 IoCs

Processes:

cscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Isass.lnk cscript.exe

pid	process
1416	cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Isass.lnk	cscript.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exeIsass.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Wine	3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Wine	Isass.exe

Loads dropped DLL 2 IoCs

Processes:

3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.execscript.exe

pid process

1120 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe
1000 cscript.exe

pid	process
1120	3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe
1000	cscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Isass.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows_Antimalware_Host_Syst = "C:\\ProgramData\\MicrosoftCorporation\\Windows\\System32\\Isass.exe"	Isass.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exeIsass.exe

pid process

1120 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe
1176 Isass.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1968 schtasks.exe
1220 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

904 taskkill.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exeIsass.exe

pid process

1120 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe
1176 Isass.exe
1176 Isass.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 904 taskkill.exe

pid	process
1120	3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe
1176	Isass.exe

pid	process
1968	schtasks.exe
1220	schtasks.exe

pid	process
904	taskkill.exe

pid	process
1120	3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe
1176	Isass.exe
1176	Isass.exe

description	pid	process
Token: SeDebugPrivilege	904	taskkill.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exeIsass.execmd.execmd.exe

description	pid	process	target process
PID 1120 wrote to memory of 1176	1120	3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe	Isass.exe
PID 1120 wrote to memory of 1176	1120	3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe	Isass.exe
PID 1120 wrote to memory of 1176	1120	3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe	Isass.exe
PID 1120 wrote to memory of 1176	1120	3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe	Isass.exe
PID 1120 wrote to memory of 1416	1120	3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe	cmd.exe
PID 1120 wrote to memory of 1416	1120	3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe	cmd.exe
PID 1120 wrote to memory of 1416	1120	3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe	cmd.exe
PID 1120 wrote to memory of 1416	1120	3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe	cmd.exe
PID 1176 wrote to memory of 1968	1176	Isass.exe	schtasks.exe
PID 1176 wrote to memory of 1968	1176	Isass.exe	schtasks.exe
PID 1176 wrote to memory of 1968	1176	Isass.exe	schtasks.exe
PID 1176 wrote to memory of 1968	1176	Isass.exe	schtasks.exe
PID 1416 wrote to memory of 904	1416	cmd.exe	taskkill.exe
PID 1416 wrote to memory of 904	1416	cmd.exe	taskkill.exe
PID 1416 wrote to memory of 904	1416	cmd.exe	taskkill.exe
PID 1416 wrote to memory of 904	1416	cmd.exe	taskkill.exe
PID 1176 wrote to memory of 1220	1176	Isass.exe	schtasks.exe
PID 1176 wrote to memory of 1220	1176	Isass.exe	schtasks.exe
PID 1176 wrote to memory of 1220	1176	Isass.exe	schtasks.exe
PID 1176 wrote to memory of 1220	1176	Isass.exe	schtasks.exe
PID 1176 wrote to memory of 1484	1176	Isass.exe	cmd.exe
PID 1176 wrote to memory of 1484	1176	Isass.exe	cmd.exe
PID 1176 wrote to memory of 1484	1176	Isass.exe	cmd.exe
PID 1176 wrote to memory of 1484	1176	Isass.exe	cmd.exe
PID 1484 wrote to memory of 1000	1484	cmd.exe	cscript.exe
PID 1484 wrote to memory of 1000	1484	cmd.exe	cscript.exe
PID 1484 wrote to memory of 1000	1484	cmd.exe	cscript.exe
PID 1484 wrote to memory of 1000	1484	cmd.exe	cscript.exe

C:\Users\Admin\AppData\Local\Temp\3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe
"C:\Users\Admin\AppData\Local\Temp\3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1120

C:\ProgramData\MicrosoftCorporation\Windows\System32\Isass.exe
"C:\ProgramData\MicrosoftCorporation\Windows\System32\Isass.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 30 /TN "Windows_Antimalware_Host" /TR "C:\ProgramData\WindowsAppCertification\checker.vbs" /F
3⤵
- Creates scheduled task(s)
PID:1968

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 5 /TN "Windows_Antimalware_Host_Systm" /TR "C:\ProgramData\MicrosoftCorporation\Windows\System32\Isass.exe" /F
3⤵
- Creates scheduled task(s)
PID:1220

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo Set oWS = WScript.CreateObject("WScript.Shell") > CreateShortcut.vbs & echo sLinkFile = "%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Isass.lnk" >> CreateShortcut.vbs & echo Set oLink = oWS.CreateShortcut(sLinkFile) >> CreateShortcut.vbs & echo oLink.TargetPath = "C:\ProgramData\MicrosoftCorporation\Windows\System32\Isass.exe" >> CreateShortcut.vbs & echo oLink.Save >> CreateShortcut.vbs & cscript CreateShortcut.vbs & del CreateShortcut.vbs
3⤵
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SysWOW64\cscript.exe
cscript CreateShortcut.vbs
4⤵
- Drops startup file
- Loads dropped DLL
PID:1000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe /f & erase C:\Users\Admin\AppData\Local\Temp\3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe & exit
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 3e80c09e8c838aea42d609ec5a60b9409b0ab3d77d61c3dfdf191a38bc4f721e.exe /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

Modify Registry

T1112

Credential Access

Discovery

Query Registry

3

Virtualization/Sandbox Evasion

2