redline | ed7707860347ea07199de6d5fb4e25d6c7e059cf8b21e4b02d19a1db9a864569

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Windows security bypass 2 TTPs 2 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0"	svchost.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	svchost.exe

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	svchost.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys"	svchost.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
4512	svchost.exe

Windows security modification 2 TTPs 3 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0"	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4512 set thread context of 3060	4512	svchost.exe	106

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1120	3060	WerFault.exe	106

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
1308	schtasks.exe

Delays execution with timeout.exe 1 IoCs

pid	Process
3004	timeout.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
820	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
820	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
820	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
820	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
820	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
820	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
820	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
820	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
820	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
820	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
820	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
820	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
820	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
820	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
820	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
820	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
820	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
820	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
820	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
820	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
820	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
820	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
820	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
4512	svchost.exe
4512	svchost.exe
4512	svchost.exe
4512	svchost.exe
4512	svchost.exe
4512	svchost.exe
4312	powershell.exe
4512	svchost.exe
4512	svchost.exe
4512	svchost.exe
4512	svchost.exe
4512	svchost.exe
4512	svchost.exe
4512	svchost.exe
4512	svchost.exe
4512	svchost.exe
4512	svchost.exe
4312	powershell.exe
4512	svchost.exe
4512	svchost.exe
4512	svchost.exe
4512	svchost.exe
4512	svchost.exe
4512	svchost.exe
4512	svchost.exe
4512	svchost.exe
4512	svchost.exe
4512	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
4512	svchost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	820	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
Token: SeDebugPrivilege	4512	svchost.exe
Token: SeDebugPrivilege	4512	svchost.exe
Token: SeLoadDriverPrivilege	4512	svchost.exe
Token: SeDebugPrivilege	4312	powershell.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 820 wrote to memory of 3176	820	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe	84
PID 820 wrote to memory of 3176	820	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe	84
PID 820 wrote to memory of 4176	820	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe	86
PID 820 wrote to memory of 4176	820	15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe	86
PID 3176 wrote to memory of 1308	3176	cmd.exe	88
PID 3176 wrote to memory of 1308	3176	cmd.exe	88
PID 4176 wrote to memory of 3004	4176	cmd.exe	89
PID 4176 wrote to memory of 3004	4176	cmd.exe	89
PID 4176 wrote to memory of 4512	4176	cmd.exe	90
PID 4176 wrote to memory of 4512	4176	cmd.exe	90
PID 4512 wrote to memory of 4312	4512	svchost.exe	91
PID 4512 wrote to memory of 4312	4512	svchost.exe	91
PID 4512 wrote to memory of 232	4512	svchost.exe	93
PID 4512 wrote to memory of 232	4512	svchost.exe	93
PID 4512 wrote to memory of 228	4512	svchost.exe	94
PID 4512 wrote to memory of 228	4512	svchost.exe	94
PID 4512 wrote to memory of 4124	4512	svchost.exe	95
PID 4512 wrote to memory of 4124	4512	svchost.exe	95
PID 4512 wrote to memory of 464	4512	svchost.exe	96
PID 4512 wrote to memory of 464	4512	svchost.exe	96
PID 4512 wrote to memory of 2264	4512	svchost.exe	97
PID 4512 wrote to memory of 2264	4512	svchost.exe	97
PID 4512 wrote to memory of 1092	4512	svchost.exe	100
PID 4512 wrote to memory of 1092	4512	svchost.exe	100
PID 4512 wrote to memory of 3968	4512	svchost.exe	99
PID 4512 wrote to memory of 3968	4512	svchost.exe	99
PID 4512 wrote to memory of 392	4512	svchost.exe	98
PID 4512 wrote to memory of 392	4512	svchost.exe	98
PID 4512 wrote to memory of 4828	4512	svchost.exe	101
PID 4512 wrote to memory of 4828	4512	svchost.exe	101
PID 4512 wrote to memory of 3644	4512	svchost.exe	102
PID 4512 wrote to memory of 3644	4512	svchost.exe	102
PID 4512 wrote to memory of 3276	4512	svchost.exe	103
PID 4512 wrote to memory of 3276	4512	svchost.exe	103
PID 4512 wrote to memory of 1800	4512	svchost.exe	104
PID 4512 wrote to memory of 1800	4512	svchost.exe	104
PID 4512 wrote to memory of 3120	4512	svchost.exe	105
PID 4512 wrote to memory of 3120	4512	svchost.exe	105
PID 4512 wrote to memory of 3060	4512	svchost.exe	106
PID 4512 wrote to memory of 3060	4512	svchost.exe	106
PID 4512 wrote to memory of 3060	4512	svchost.exe	106
PID 4512 wrote to memory of 3060	4512	svchost.exe	106
PID 4512 wrote to memory of 3060	4512	svchost.exe	106
PID 4512 wrote to memory of 3060	4512	svchost.exe	106
PID 4512 wrote to memory of 3060	4512	svchost.exe	106
PID 4512 wrote to memory of 3060	4512	svchost.exe	106

System policy modification 1 TTPs 1 IoCs

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe
"C:\Users\Admin\AppData\Local\Temp\15e26094676227ed93d5968badafe6f33ac17f77b9e91ef7ef86ee82d5a07821.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:1308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6B9F.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4176
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3004
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - UAC bypass
    - Windows security bypass
    - Looks for VirtualBox Guest Additions in registry
    - Looks for VMWare Tools registry key
    - Sets service image path in registry
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Windows security modification
    - Checks whether UAC is enabled
    - Maps connected drives based on registry
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4512
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4312
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
      4⤵
      PID:232
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:228
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4124
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
      4⤵
      PID:464
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
      4⤵
      PID:2264
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
      4⤵
      PID:392
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
      4⤵
      PID:3968
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
      4⤵
      PID:1092
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
      4⤵
      PID:4828
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:3644
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
      4⤵
      PID:3276
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
      4⤵
      PID:1800
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
      4⤵
      PID:3120
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
      4⤵
      PID:3060
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 720
        5⤵
        Program crash
        
        PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3060 -ip 3060
1⤵
PID:4540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion