redline | b2881644ca2777869b611abca810c4ea6eaa347f65abf1d9920313523c5939c2

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	file.exe

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	file.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	svchost.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys"	svchost.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
1356	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1388	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	file.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	file.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	file.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1356 set thread context of 364	1356	svchost.exe	46

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1172	364	WerFault.exe	46

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
2032	schtasks.exe

Delays execution with timeout.exe 1 IoCs

pid	Process
1612	timeout.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
912	file.exe
1532	powershell.exe
1356	svchost.exe
1356	svchost.exe
1356	svchost.exe
1356	svchost.exe
1356	svchost.exe
1356	svchost.exe
1356	svchost.exe
1356	svchost.exe
1356	svchost.exe
1356	svchost.exe
1356	svchost.exe
1356	svchost.exe
1356	svchost.exe
1356	svchost.exe
1356	svchost.exe
1356	svchost.exe
1356	svchost.exe
1356	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1356	svchost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	912	file.exe
Token: SeDebugPrivilege	1356	svchost.exe
Token: SeDebugPrivilege	1356	svchost.exe
Token: SeLoadDriverPrivilege	1356	svchost.exe
Token: SeDebugPrivilege	1532	powershell.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 560	912	file.exe	28
PID 912 wrote to memory of 560	912	file.exe	28
PID 912 wrote to memory of 560	912	file.exe	28
PID 560 wrote to memory of 2032	560	cmd.exe	30
PID 560 wrote to memory of 2032	560	cmd.exe	30
PID 560 wrote to memory of 2032	560	cmd.exe	30
PID 912 wrote to memory of 1388	912	file.exe	31
PID 912 wrote to memory of 1388	912	file.exe	31
PID 912 wrote to memory of 1388	912	file.exe	31
PID 1388 wrote to memory of 1612	1388	cmd.exe	33
PID 1388 wrote to memory of 1612	1388	cmd.exe	33
PID 1388 wrote to memory of 1612	1388	cmd.exe	33
PID 1388 wrote to memory of 1356	1388	cmd.exe	34
PID 1388 wrote to memory of 1356	1388	cmd.exe	34
PID 1388 wrote to memory of 1356	1388	cmd.exe	34
PID 1356 wrote to memory of 1532	1356	svchost.exe	35
PID 1356 wrote to memory of 1532	1356	svchost.exe	35
PID 1356 wrote to memory of 1532	1356	svchost.exe	35
PID 1356 wrote to memory of 1740	1356	svchost.exe	37
PID 1356 wrote to memory of 1740	1356	svchost.exe	37
PID 1356 wrote to memory of 1740	1356	svchost.exe	37
PID 1356 wrote to memory of 672	1356	svchost.exe	38
PID 1356 wrote to memory of 672	1356	svchost.exe	38
PID 1356 wrote to memory of 672	1356	svchost.exe	38
PID 1356 wrote to memory of 1908	1356	svchost.exe	39
PID 1356 wrote to memory of 1908	1356	svchost.exe	39
PID 1356 wrote to memory of 1908	1356	svchost.exe	39
PID 1356 wrote to memory of 1728	1356	svchost.exe	40
PID 1356 wrote to memory of 1728	1356	svchost.exe	40
PID 1356 wrote to memory of 1728	1356	svchost.exe	40
PID 1356 wrote to memory of 1964	1356	svchost.exe	41
PID 1356 wrote to memory of 1964	1356	svchost.exe	41
PID 1356 wrote to memory of 1964	1356	svchost.exe	41
PID 1356 wrote to memory of 588	1356	svchost.exe	42
PID 1356 wrote to memory of 588	1356	svchost.exe	42
PID 1356 wrote to memory of 588	1356	svchost.exe	42
PID 1356 wrote to memory of 1816	1356	svchost.exe	43
PID 1356 wrote to memory of 1816	1356	svchost.exe	43
PID 1356 wrote to memory of 1816	1356	svchost.exe	43
PID 1356 wrote to memory of 656	1356	svchost.exe	44
PID 1356 wrote to memory of 656	1356	svchost.exe	44
PID 1356 wrote to memory of 656	1356	svchost.exe	44
PID 1356 wrote to memory of 1480	1356	svchost.exe	45
PID 1356 wrote to memory of 1480	1356	svchost.exe	45
PID 1356 wrote to memory of 1480	1356	svchost.exe	45
PID 1356 wrote to memory of 364	1356	svchost.exe	46
PID 1356 wrote to memory of 364	1356	svchost.exe	46
PID 1356 wrote to memory of 364	1356	svchost.exe	46
PID 1356 wrote to memory of 364	1356	svchost.exe	46
PID 1356 wrote to memory of 364	1356	svchost.exe	46
PID 1356 wrote to memory of 364	1356	svchost.exe	46
PID 1356 wrote to memory of 364	1356	svchost.exe	46
PID 1356 wrote to memory of 364	1356	svchost.exe	46
PID 1356 wrote to memory of 364	1356	svchost.exe	46
PID 1356 wrote to memory of 364	1356	svchost.exe	46
PID 1356 wrote to memory of 364	1356	svchost.exe	46
PID 1356 wrote to memory of 364	1356	svchost.exe	46
PID 364 wrote to memory of 1172	364	SetupUtility.exe	47
PID 364 wrote to memory of 1172	364	SetupUtility.exe	47
PID 364 wrote to memory of 1172	364	SetupUtility.exe	47
PID 364 wrote to memory of 1172	364	SetupUtility.exe	47

System policy modification 1 TTPs 1 IoCs

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:2032
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6D73.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1612
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - UAC bypass
    - Looks for VirtualBox Guest Additions in registry
    - Looks for VMWare Tools registry key
    - Sets service image path in registry
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Maps connected drives based on registry
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1356
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1532
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
      4⤵
      PID:1740
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
      4⤵
      PID:672
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1908
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
      4⤵
      PID:1728
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
      4⤵
      PID:1964
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
      4⤵
      PID:588
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
      4⤵
      PID:1816
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:656
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
      4⤵
      PID:1480
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:364
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 364 -s 168
        5⤵
        Program crash
        
        PID:1172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion