redline | ed7707860347ea07199de6d5fb4e25d6c7e059cf8b21e4b02d19a1db9a864569

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	svchost.exe

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	svchost.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys"	svchost.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
1856	svchost.exe

Loads dropped DLL 1 IoCs

pid	Process
1664	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1856 set thread context of 2016	1856	svchost.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1540	2016	WerFault.exe	38

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
1340	schtasks.exe

Delays execution with timeout.exe 1 IoCs

pid	Process
576	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1216	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
1360	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1856	svchost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1216	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
Token: SeDebugPrivilege	1856	svchost.exe
Token: SeDebugPrivilege	1856	svchost.exe
Token: SeLoadDriverPrivilege	1856	svchost.exe
Token: SeDebugPrivilege	1360	powershell.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 1148	1216	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe	29
PID 1216 wrote to memory of 1148	1216	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe	29
PID 1216 wrote to memory of 1148	1216	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe	29
PID 1216 wrote to memory of 1664	1216	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe	31
PID 1216 wrote to memory of 1664	1216	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe	31
PID 1216 wrote to memory of 1664	1216	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe	31
PID 1664 wrote to memory of 576	1664	cmd.exe	33
PID 1664 wrote to memory of 576	1664	cmd.exe	33
PID 1664 wrote to memory of 576	1664	cmd.exe	33
PID 1148 wrote to memory of 1340	1148	cmd.exe	34
PID 1148 wrote to memory of 1340	1148	cmd.exe	34
PID 1148 wrote to memory of 1340	1148	cmd.exe	34
PID 1664 wrote to memory of 1856	1664	cmd.exe	35
PID 1664 wrote to memory of 1856	1664	cmd.exe	35
PID 1664 wrote to memory of 1856	1664	cmd.exe	35
PID 1856 wrote to memory of 1360	1856	svchost.exe	36
PID 1856 wrote to memory of 1360	1856	svchost.exe	36
PID 1856 wrote to memory of 1360	1856	svchost.exe	36
PID 1856 wrote to memory of 2016	1856	svchost.exe	38
PID 1856 wrote to memory of 2016	1856	svchost.exe	38
PID 1856 wrote to memory of 2016	1856	svchost.exe	38
PID 1856 wrote to memory of 2016	1856	svchost.exe	38
PID 1856 wrote to memory of 2016	1856	svchost.exe	38
PID 1856 wrote to memory of 2016	1856	svchost.exe	38
PID 1856 wrote to memory of 2016	1856	svchost.exe	38
PID 1856 wrote to memory of 2016	1856	svchost.exe	38
PID 1856 wrote to memory of 2016	1856	svchost.exe	38
PID 2016 wrote to memory of 1540	2016	jsc.exe	39
PID 2016 wrote to memory of 1540	2016	jsc.exe	39
PID 2016 wrote to memory of 1540	2016	jsc.exe	39
PID 2016 wrote to memory of 1540	2016	jsc.exe	39

System policy modification 1 TTPs 1 IoCs

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
"C:\Users\Admin\AppData\Local\Temp\15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:1340
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp19D8.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:576
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - UAC bypass
    - Looks for VirtualBox Guest Additions in registry
    - Looks for VMWare Tools registry key
    - Sets service image path in registry
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Maps connected drives based on registry
    - Suspicious use of SetThreadContext
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1856
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1360
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2016
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 504
        5⤵
        Program crash
        
        PID:1540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion