asyncrat | 531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f

Modify Existing Service

T1031

Disabling Security Tools

Processes:

531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe

Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

Modify Registry

Processes:

531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe = "0"	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1536-178-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe

Executes dropped EXE 12 IoCs

Processes:

DD8989123MD.exeK8MN9DA.exeLunaInjector.exeDD8989123MD.exeDD8989123MD.exeK8MN9DA.exeK8MN9DA.exeK8MN9DA.exeK8MN9DA.exeZxKKE4oK8.exeZxKKE4oK8.exeDD8989123MD.exe

pid	process
2156	DD8989123MD.exe
2316	K8MN9DA.exe
1144	LunaInjector.exe
3492	DD8989123MD.exe
3644	DD8989123MD.exe
4960	K8MN9DA.exe
3332	K8MN9DA.exe
2752	K8MN9DA.exe
1536	K8MN9DA.exe
2688	ZxKKE4oK8.exe
2536	ZxKKE4oK8.exe
3952	DD8989123MD.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

DD8989123MD.exeK8MN9DA.exeZxKKE4oK8.exe531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exeK8MN9DA.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	DD8989123MD.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	K8MN9DA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	ZxKKE4oK8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	K8MN9DA.exe

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

Modify Registry

Processes:

531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe = "0"	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

43 wtfismyip.com
44 wtfismyip.com

flow	ioc
43	wtfismyip.com
44	wtfismyip.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 50 IoCs

Processes:

531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exeDD8989123MD.exeK8MN9DA.exeZxKKE4oK8.exe

pid	process
4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
2156	DD8989123MD.exe
2156	DD8989123MD.exe
2156	DD8989123MD.exe
2156	DD8989123MD.exe
2156	DD8989123MD.exe
2156	DD8989123MD.exe
2156	DD8989123MD.exe
2156	DD8989123MD.exe
2156	DD8989123MD.exe
2156	DD8989123MD.exe
2156	DD8989123MD.exe
2156	DD8989123MD.exe
2316	K8MN9DA.exe
2316	K8MN9DA.exe
2316	K8MN9DA.exe
2316	K8MN9DA.exe
2316	K8MN9DA.exe
2316	K8MN9DA.exe
2316	K8MN9DA.exe
2316	K8MN9DA.exe
2316	K8MN9DA.exe
2316	K8MN9DA.exe
2316	K8MN9DA.exe
2688	ZxKKE4oK8.exe
2688	ZxKKE4oK8.exe
2688	ZxKKE4oK8.exe
2688	ZxKKE4oK8.exe
2688	ZxKKE4oK8.exe
2688	ZxKKE4oK8.exe
2688	ZxKKE4oK8.exe
2688	ZxKKE4oK8.exe
2688	ZxKKE4oK8.exe
2688	ZxKKE4oK8.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exeDD8989123MD.exeK8MN9DA.exeZxKKE4oK8.exeDD8989123MD.exe

description	pid	process	target process
PID 4416 set thread context of 1280	4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
PID 2156 set thread context of 3644	2156	DD8989123MD.exe	DD8989123MD.exe
PID 2316 set thread context of 1536	2316	K8MN9DA.exe	K8MN9DA.exe
PID 2688 set thread context of 2536	2688	ZxKKE4oK8.exe	ZxKKE4oK8.exe
PID 3644 set thread context of 3952	3644	DD8989123MD.exe	DD8989123MD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4740	4416	WerFault.exe	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
1684	2156	WerFault.exe	DD8989123MD.exe
2720	2316	WerFault.exe	K8MN9DA.exe
1192	2688	WerFault.exe	ZxKKE4oK8.exe
4468	3952	WerFault.exe	DD8989123MD.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1764 schtasks.exe
Delays execution with timeout.exe 5 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

4972 timeout.exe
4852 timeout.exe
3568 timeout.exe
3572 timeout.exe
4044 timeout.exe

pid	process
1764	schtasks.exe

pid	process
4972	timeout.exe
4852	timeout.exe
3568	timeout.exe
3572	timeout.exe
4044	timeout.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

powershell.exe531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exeDD8989123MD.exeK8MN9DA.exeK8MN9DA.exeZxKKE4oK8.exeDD8989123MD.exe

pid	process
1200	powershell.exe
1200	powershell.exe
4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
2156	DD8989123MD.exe
2316	K8MN9DA.exe
2156	DD8989123MD.exe
2156	DD8989123MD.exe
2316	K8MN9DA.exe
2316	K8MN9DA.exe
2156	DD8989123MD.exe
2156	DD8989123MD.exe
2316	K8MN9DA.exe
2316	K8MN9DA.exe
2316	K8MN9DA.exe
2316	K8MN9DA.exe
2316	K8MN9DA.exe
2316	K8MN9DA.exe
1536	K8MN9DA.exe
1536	K8MN9DA.exe
1536	K8MN9DA.exe
1536	K8MN9DA.exe
1536	K8MN9DA.exe
1536	K8MN9DA.exe
1536	K8MN9DA.exe
1536	K8MN9DA.exe
1536	K8MN9DA.exe
1536	K8MN9DA.exe
1536	K8MN9DA.exe
1536	K8MN9DA.exe
1536	K8MN9DA.exe
1536	K8MN9DA.exe
1536	K8MN9DA.exe
1536	K8MN9DA.exe
1536	K8MN9DA.exe
1536	K8MN9DA.exe
1536	K8MN9DA.exe
1536	K8MN9DA.exe
1536	K8MN9DA.exe
2688	ZxKKE4oK8.exe
2688	ZxKKE4oK8.exe
2688	ZxKKE4oK8.exe
3952	DD8989123MD.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exepowershell.exeDD8989123MD.exeK8MN9DA.exeK8MN9DA.exeZxKKE4oK8.exeZxKKE4oK8.exeDD8989123MD.exe

description	pid	process
Token: SeDebugPrivilege	4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	2156	DD8989123MD.exe
Token: SeDebugPrivilege	2316	K8MN9DA.exe
Token: SeDebugPrivilege	1536	K8MN9DA.exe
Token: SeDebugPrivilege	2688	ZxKKE4oK8.exe
Token: SeDebugPrivilege	2536	ZxKKE4oK8.exe
Token: SeDebugPrivilege	3952	DD8989123MD.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.execmd.exe531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exeLunaInjector.exeK8MN9DA.exeDD8989123MD.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4416 wrote to memory of 1200	4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe	powershell.exe
PID 4416 wrote to memory of 1200	4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe	powershell.exe
PID 4416 wrote to memory of 1200	4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe	powershell.exe
PID 4416 wrote to memory of 256	4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe	cmd.exe
PID 4416 wrote to memory of 256	4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe	cmd.exe
PID 4416 wrote to memory of 256	4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe	cmd.exe
PID 256 wrote to memory of 4972	256	cmd.exe	timeout.exe
PID 256 wrote to memory of 4972	256	cmd.exe	timeout.exe
PID 256 wrote to memory of 4972	256	cmd.exe	timeout.exe
PID 4416 wrote to memory of 640	4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
PID 4416 wrote to memory of 640	4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
PID 4416 wrote to memory of 640	4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
PID 4416 wrote to memory of 1280	4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
PID 4416 wrote to memory of 1280	4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
PID 4416 wrote to memory of 1280	4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
PID 4416 wrote to memory of 1280	4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
PID 4416 wrote to memory of 1280	4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
PID 4416 wrote to memory of 1280	4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
PID 4416 wrote to memory of 1280	4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
PID 4416 wrote to memory of 1280	4416	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
PID 1280 wrote to memory of 2156	1280	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe	DD8989123MD.exe
PID 1280 wrote to memory of 2156	1280	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe	DD8989123MD.exe
PID 1280 wrote to memory of 2156	1280	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe	DD8989123MD.exe
PID 1280 wrote to memory of 2316	1280	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe	K8MN9DA.exe
PID 1280 wrote to memory of 2316	1280	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe	K8MN9DA.exe
PID 1280 wrote to memory of 2316	1280	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe	K8MN9DA.exe
PID 1280 wrote to memory of 1144	1280	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe	LunaInjector.exe
PID 1280 wrote to memory of 1144	1280	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe	LunaInjector.exe
PID 1280 wrote to memory of 1144	1280	531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe	LunaInjector.exe
PID 1144 wrote to memory of 544	1144	LunaInjector.exe	cmd.exe
PID 1144 wrote to memory of 544	1144	LunaInjector.exe	cmd.exe
PID 2316 wrote to memory of 3356	2316	K8MN9DA.exe	cmd.exe
PID 2316 wrote to memory of 3356	2316	K8MN9DA.exe	cmd.exe
PID 2316 wrote to memory of 3356	2316	K8MN9DA.exe	cmd.exe
PID 2156 wrote to memory of 1776	2156	DD8989123MD.exe	cmd.exe
PID 2156 wrote to memory of 1776	2156	DD8989123MD.exe	cmd.exe
PID 2156 wrote to memory of 1776	2156	DD8989123MD.exe	cmd.exe
PID 1776 wrote to memory of 4852	1776	cmd.exe	timeout.exe
PID 1776 wrote to memory of 4852	1776	cmd.exe	timeout.exe
PID 1776 wrote to memory of 4852	1776	cmd.exe	timeout.exe
PID 3356 wrote to memory of 3568	3356	cmd.exe	timeout.exe
PID 3356 wrote to memory of 3568	3356	cmd.exe	timeout.exe
PID 3356 wrote to memory of 3568	3356	cmd.exe	timeout.exe
PID 544 wrote to memory of 3592	544	cmd.exe	chcp.com
PID 544 wrote to memory of 3592	544	cmd.exe	chcp.com
PID 2156 wrote to memory of 3492	2156	DD8989123MD.exe	DD8989123MD.exe
PID 2156 wrote to memory of 3492	2156	DD8989123MD.exe	DD8989123MD.exe
PID 2156 wrote to memory of 3492	2156	DD8989123MD.exe	DD8989123MD.exe
PID 2156 wrote to memory of 3644	2156	DD8989123MD.exe	DD8989123MD.exe
PID 2156 wrote to memory of 3644	2156	DD8989123MD.exe	DD8989123MD.exe
PID 2156 wrote to memory of 3644	2156	DD8989123MD.exe	DD8989123MD.exe
PID 2316 wrote to memory of 4960	2316	K8MN9DA.exe	K8MN9DA.exe
PID 2316 wrote to memory of 4960	2316	K8MN9DA.exe	K8MN9DA.exe
PID 2316 wrote to memory of 4960	2316	K8MN9DA.exe	K8MN9DA.exe
PID 2156 wrote to memory of 3644	2156	DD8989123MD.exe	DD8989123MD.exe
PID 2156 wrote to memory of 3644	2156	DD8989123MD.exe	DD8989123MD.exe
PID 2156 wrote to memory of 3644	2156	DD8989123MD.exe	DD8989123MD.exe
PID 2156 wrote to memory of 3644	2156	DD8989123MD.exe	DD8989123MD.exe
PID 2156 wrote to memory of 3644	2156	DD8989123MD.exe	DD8989123MD.exe
PID 2316 wrote to memory of 3332	2316	K8MN9DA.exe	K8MN9DA.exe
PID 2316 wrote to memory of 3332	2316	K8MN9DA.exe	K8MN9DA.exe
PID 2316 wrote to memory of 3332	2316	K8MN9DA.exe	K8MN9DA.exe
PID 2316 wrote to memory of 2752	2316	K8MN9DA.exe	K8MN9DA.exe
PID 2316 wrote to memory of 2752	2316	K8MN9DA.exe	K8MN9DA.exe

C:\Users\Admin\AppData\Local\Temp\531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
"C:\Users\Admin\AppData\Local\Temp\531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Windows security modification
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4416

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:256

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:4972

C:\Users\Admin\AppData\Local\Temp\531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
"C:\Users\Admin\AppData\Local\Temp\531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe"
2⤵
PID:640

C:\Users\Admin\AppData\Local\Temp\531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe
"C:\Users\Admin\AppData\Local\Temp\531bf9fac0acb821391741eb0ed737df303aba700db962771e7795845bf8c72f.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\DD8989123MD.exe
"C:\Users\Admin\AppData\Local\Temp\DD8989123MD.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
4⤵
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\timeout.exe
timeout 1
5⤵
- Delays execution with timeout.exe
PID:4852

C:\Users\Admin\AppData\Local\Temp\DD8989123MD.exe
"C:\Users\Admin\AppData\Local\Temp\DD8989123MD.exe"
4⤵
- Executes dropped EXE
PID:3492

C:\Users\Admin\AppData\Local\Temp\DD8989123MD.exe
"C:\Users\Admin\AppData\Local\Temp\DD8989123MD.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3644

C:\Users\Admin\AppData\Local\Temp\DD8989123MD.exe
"C:\Users\Admin\AppData\Local\Temp\DD8989123MD.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 1900
6⤵
- Program crash
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 1500
4⤵
- Program crash
PID:1684

C:\Users\Admin\AppData\Local\Temp\K8MN9DA.exe
"C:\Users\Admin\AppData\Local\Temp\K8MN9DA.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
4⤵
- Suspicious use of WriteProcessMemory
PID:3356

C:\Windows\SysWOW64\timeout.exe
timeout 1
5⤵
- Delays execution with timeout.exe
PID:3568

C:\Users\Admin\AppData\Local\Temp\K8MN9DA.exe
"C:\Users\Admin\AppData\Local\Temp\K8MN9DA.exe"
4⤵
- Executes dropped EXE
PID:4960

C:\Users\Admin\AppData\Local\Temp\K8MN9DA.exe
"C:\Users\Admin\AppData\Local\Temp\K8MN9DA.exe"
4⤵
- Executes dropped EXE
PID:3332

C:\Users\Admin\AppData\Local\Temp\K8MN9DA.exe
"C:\Users\Admin\AppData\Local\Temp\K8MN9DA.exe"
4⤵
- Executes dropped EXE
PID:2752

C:\Users\Admin\AppData\Local\Temp\K8MN9DA.exe
"C:\Users\Admin\AppData\Local\Temp\K8MN9DA.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "ZxKKE4oK8" /tr '"C:\Users\Admin\AppData\Local\Temp\ZxKKE4oK8.exe"' & exit
5⤵
PID:2408

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "ZxKKE4oK8" /tr '"C:\Users\Admin\AppData\Local\Temp\ZxKKE4oK8.exe"'
6⤵
- Creates scheduled task(s)
PID:1764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp89D1.tmp.bat""
5⤵
PID:3012

C:\Windows\SysWOW64\timeout.exe
timeout 3
6⤵
- Delays execution with timeout.exe
PID:3572

C:\Users\Admin\AppData\Local\Temp\ZxKKE4oK8.exe
"C:\Users\Admin\AppData\Local\Temp\ZxKKE4oK8.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
7⤵
PID:4180

C:\Windows\SysWOW64\timeout.exe
timeout 1
8⤵
- Delays execution with timeout.exe
PID:4044

C:\Users\Admin\AppData\Local\Temp\ZxKKE4oK8.exe
"C:\Users\Admin\AppData\Local\Temp\ZxKKE4oK8.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 1472
7⤵
- Program crash
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 1464
4⤵
- Program crash
PID:2720

C:\Users\Admin\AppData\Roaming\LunaInjector.exe
"C:\Users\Admin\AppData\Roaming\LunaInjector.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6699.tmp\669A.tmp\66AB.bat C:\Users\Admin\AppData\Roaming\LunaInjector.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\system32\chcp.com
chcp 65001
5⤵
PID:3592

C:\Windows\system32\mode.com
mode 82,24
5⤵
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 2272
2⤵
- Program crash
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4416 -ip 4416
1⤵
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2156 -ip 2156
1⤵
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2316 -ip 2316
1⤵
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2688 -ip 2688
1⤵
PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3952 -ip 3952
1⤵
PID:3704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

Disabling Security Tools

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery