redline | b2881644ca2777869b611abca810c4ea6eaa347f65abf1d9920313523c5939c2

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Windows security bypass 2 TTPs 2 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0"	svchost.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	file.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	svchost.exe

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	file.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	svchost.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys"	svchost.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	file.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	file.exe

Executes dropped EXE 1 IoCs

pid	Process
952	svchost.exe

Windows security modification 2 TTPs 3 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0"	svchost.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	file.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	file.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 952 set thread context of 4240	952	svchost.exe	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
3404	schtasks.exe

Delays execution with timeout.exe 1 IoCs

pid	Process
3244	timeout.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2296	file.exe
2296	file.exe
2296	file.exe
2296	file.exe
2296	file.exe
2296	file.exe
2296	file.exe
2296	file.exe
2296	file.exe
2296	file.exe
2296	file.exe
2296	file.exe
2296	file.exe
2296	file.exe
2296	file.exe
2296	file.exe
2296	file.exe
2296	file.exe
2296	file.exe
2296	file.exe
2296	file.exe
2296	file.exe
2296	file.exe
952	svchost.exe
952	svchost.exe
952	svchost.exe
952	svchost.exe
952	svchost.exe
952	svchost.exe
952	svchost.exe
952	svchost.exe
216	powershell.exe
216	powershell.exe
4240	jsc.exe
4240	jsc.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
952	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2296	file.exe
Token: SeDebugPrivilege	952	svchost.exe
Token: SeDebugPrivilege	952	svchost.exe
Token: SeLoadDriverPrivilege	952	svchost.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	4240	jsc.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 4940	2296	file.exe	85
PID 2296 wrote to memory of 4940	2296	file.exe	85
PID 2296 wrote to memory of 4804	2296	file.exe	87
PID 2296 wrote to memory of 4804	2296	file.exe	87
PID 4804 wrote to memory of 3244	4804	cmd.exe	89
PID 4804 wrote to memory of 3244	4804	cmd.exe	89
PID 4940 wrote to memory of 3404	4940	cmd.exe	90
PID 4940 wrote to memory of 3404	4940	cmd.exe	90
PID 4804 wrote to memory of 952	4804	cmd.exe	91
PID 4804 wrote to memory of 952	4804	cmd.exe	91
PID 952 wrote to memory of 216	952	svchost.exe	92
PID 952 wrote to memory of 216	952	svchost.exe	92
PID 952 wrote to memory of 4376	952	svchost.exe	94
PID 952 wrote to memory of 4376	952	svchost.exe	94
PID 952 wrote to memory of 4288	952	svchost.exe	96
PID 952 wrote to memory of 4288	952	svchost.exe	96
PID 952 wrote to memory of 4652	952	svchost.exe	95
PID 952 wrote to memory of 4652	952	svchost.exe	95
PID 952 wrote to memory of 4064	952	svchost.exe	97
PID 952 wrote to memory of 4064	952	svchost.exe	97
PID 952 wrote to memory of 4240	952	svchost.exe	98
PID 952 wrote to memory of 4240	952	svchost.exe	98
PID 952 wrote to memory of 4240	952	svchost.exe	98
PID 952 wrote to memory of 4240	952	svchost.exe	98
PID 952 wrote to memory of 4240	952	svchost.exe	98
PID 952 wrote to memory of 4240	952	svchost.exe	98
PID 952 wrote to memory of 4240	952	svchost.exe	98
PID 952 wrote to memory of 4240	952	svchost.exe	98

System policy modification 1 TTPs 1 IoCs

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:3404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp96F5.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3244
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - UAC bypass
    - Windows security bypass
    - Looks for VirtualBox Guest Additions in registry
    - Looks for VMWare Tools registry key
    - Sets service image path in registry
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Windows security modification
    - Checks whether UAC is enabled
    - Maps connected drives based on registry
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:216
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
      4⤵
      PID:4376
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
      4⤵
      PID:4652
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
      4⤵
      PID:4288
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
      4⤵
      PID:4064
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion