8b04b7f3524782f1533cc1ff0f78e99b6618f8903a15a7670517d78f0781692b

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ef29e00e296b22385eddc32f0d929bef166fa09e.exe

Windows security bypass 2 TTPs 2 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ef29e00e296b22385eddc32f0d929bef166fa09e.exe = "0"	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	ef29e00e296b22385eddc32f0d929bef166fa09e.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys"	ef29e00e296b22385eddc32f0d929bef166fa09e.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	ef29e00e296b22385eddc32f0d929bef166fa09e.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Windows security modification 2 TTPs 3 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ef29e00e296b22385eddc32f0d929bef166fa09e.exe = "0"	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	ef29e00e296b22385eddc32f0d929bef166fa09e.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ef29e00e296b22385eddc32f0d929bef166fa09e.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4860 set thread context of 1124	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
4544	powershell.exe
4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
4544	powershell.exe
4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
1124	AddInProcess32.exe
1124	AddInProcess32.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
Token: SeLoadDriverPrivilege	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeDebugPrivilege	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe
Token: SeDebugPrivilege	1124	AddInProcess32.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 4544	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	80
PID 4860 wrote to memory of 4544	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	80
PID 4860 wrote to memory of 2164	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	82
PID 4860 wrote to memory of 2164	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	82
PID 4860 wrote to memory of 4284	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	84
PID 4860 wrote to memory of 4284	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	84
PID 4860 wrote to memory of 4936	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	83
PID 4860 wrote to memory of 4936	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	83
PID 4860 wrote to memory of 4588	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	85
PID 4860 wrote to memory of 4588	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	85
PID 4860 wrote to memory of 4632	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	86
PID 4860 wrote to memory of 4632	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	86
PID 4860 wrote to memory of 540	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	90
PID 4860 wrote to memory of 540	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	90
PID 4860 wrote to memory of 5008	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	87
PID 4860 wrote to memory of 5008	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	87
PID 4860 wrote to memory of 1588	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	88
PID 4860 wrote to memory of 1588	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	88
PID 4860 wrote to memory of 2064	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	89
PID 4860 wrote to memory of 2064	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	89
PID 4860 wrote to memory of 1136	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	91
PID 4860 wrote to memory of 1136	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	91
PID 4860 wrote to memory of 1112	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	92
PID 4860 wrote to memory of 1112	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	92
PID 4860 wrote to memory of 4396	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	93
PID 4860 wrote to memory of 4396	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	93
PID 4860 wrote to memory of 3224	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	98
PID 4860 wrote to memory of 3224	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	98
PID 4860 wrote to memory of 400	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	97
PID 4860 wrote to memory of 400	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	97
PID 4860 wrote to memory of 656	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	96
PID 4860 wrote to memory of 656	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	96
PID 4860 wrote to memory of 1128	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	95
PID 4860 wrote to memory of 1128	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	95
PID 4860 wrote to memory of 1124	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	94
PID 4860 wrote to memory of 1124	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	94
PID 4860 wrote to memory of 1124	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	94
PID 4860 wrote to memory of 1124	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	94
PID 4860 wrote to memory of 1124	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	94
PID 4860 wrote to memory of 1124	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	94
PID 4860 wrote to memory of 1124	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	94
PID 4860 wrote to memory of 1124	4860	ef29e00e296b22385eddc32f0d929bef166fa09e.exe	94

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	ef29e00e296b22385eddc32f0d929bef166fa09e.exe

C:\Users\Admin\AppData\Local\Temp\ef29e00e296b22385eddc32f0d929bef166fa09e.exe
"C:\Users\Admin\AppData\Local\Temp\ef29e00e296b22385eddc32f0d929bef166fa09e.exe"
1⤵
- UAC bypass
- Windows security bypass
- Sets service image path in registry
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ef29e00e296b22385eddc32f0d929bef166fa09e.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
  2⤵
  PID:2164
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
  2⤵
  PID:4936
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
  2⤵
  PID:4284
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
  2⤵
  PID:4588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4632
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
  2⤵
  PID:5008
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:1588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
  2⤵
  PID:2064
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
  2⤵
  PID:540
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1136
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
  2⤵
  PID:1112
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
  2⤵
  PID:4396
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1124
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:1128
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
  2⤵
  PID:656
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
  2⤵
  PID:400
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
  2⤵
  PID:3224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry