amadey | 04715d62cf6ceef23e91e164233d5ea2e82a22024fa8d5fedab310fef9f911f3

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	winlog.exe

Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	winlog.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	winlog.exe

Deletes itself 1 IoCs

pid	Process
1208	Explorer.EXE

Executes dropped EXE 29 IoCs

pid	Process
2656	EB49.exe
2576	F01B.exe
2716	F2F9.exe
2464	F56A.exe
2900	F8D5.exe
476	yiueea.exe
944	B0E.exe
1752	F64.exe
1548	132C.exe
2384	15BC.exe
1324	189B.exe
3068	F01B.exe
2620	1F11.exe
2368	taskhost.exe
1016	latestX.exe
1680	25E5.exe
1804	winlog.exe
856	446F.exe
2840	conhost.exe
3016	EB49.exe
2916	512C.exe
2460	5A80.exe
1468	6471.exe
2228	6AB9.exe
1932	7268.exe
2820	F01B.exe
1776	9331.exe
1832	powershell.exe
2128	EB49.exe

Loads dropped DLL 22 IoCs

pid	Process
2720	regsvr32.exe
2900	F8D5.exe
2208	regsvr32.exe
2576	F01B.exe
476	yiueea.exe
476	yiueea.exe
476	yiueea.exe
476	yiueea.exe
2852	regsvr32.exe
476	yiueea.exe
2656	EB49.exe
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
2000	regsvr32.exe
3068	F01B.exe
3068	F01B.exe
1208	Explorer.EXE
1208	Explorer.EXE
3016	EB49.exe
3016	EB49.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2416	icacls.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ec10f78d-04c3-4947-9e39-c4906e532138\\EB49.exe\" --AutoStart"	EB49.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlog.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	api.2ip.ua
22	api.2ip.ua
35	api.2ip.ua
46	api.2ip.ua
54	api.2ip.ua
16	api.2ip.ua

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1804	winlog.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2576 set thread context of 3068	2576	F01B.exe	60
PID 2656 set thread context of 3016	2656	EB49.exe	71
PID 2368 set thread context of 1720	2368	taskhost.exe	66

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
520	sc.exe
2416	sc.exe
2744	sc.exe
2624	sc.exe
1504	sc.exe
2804	sc.exe
2676	sc.exe
1332	sc.exe
1868	sc.exe
324	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	04715d62cf6ceef23e91e164233d5ea2e82a22024fa8d5fedab310fef9f911f3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	04715d62cf6ceef23e91e164233d5ea2e82a22024fa8d5fedab310fef9f911f3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	04715d62cf6ceef23e91e164233d5ea2e82a22024fa8d5fedab310fef9f911f3.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
1000	schtasks.exe
1296	schtasks.exe
2472	schtasks.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	33	Go-http-client/1.1

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	EB49.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	EB49.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	EB49.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	EB49.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2520	04715d62cf6ceef23e91e164233d5ea2e82a22024fa8d5fedab310fef9f911f3.exe
2520	04715d62cf6ceef23e91e164233d5ea2e82a22024fa8d5fedab310fef9f911f3.exe
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1208	Explorer.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2520	04715d62cf6ceef23e91e164233d5ea2e82a22024fa8d5fedab310fef9f911f3.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 2656	1208	Explorer.EXE	28
PID 1208 wrote to memory of 2656	1208	Explorer.EXE	28
PID 1208 wrote to memory of 2656	1208	Explorer.EXE	28
PID 1208 wrote to memory of 2656	1208	Explorer.EXE	28
PID 1208 wrote to memory of 2792	1208	Explorer.EXE	29
PID 1208 wrote to memory of 2792	1208	Explorer.EXE	29
PID 1208 wrote to memory of 2792	1208	Explorer.EXE	29
PID 1208 wrote to memory of 2792	1208	Explorer.EXE	29
PID 1208 wrote to memory of 2792	1208	Explorer.EXE	29
PID 2792 wrote to memory of 2720	2792	regsvr32.exe	30
PID 2792 wrote to memory of 2720	2792	regsvr32.exe	30
PID 2792 wrote to memory of 2720	2792	regsvr32.exe	30
PID 2792 wrote to memory of 2720	2792	regsvr32.exe	30
PID 2792 wrote to memory of 2720	2792	regsvr32.exe	30
PID 2792 wrote to memory of 2720	2792	regsvr32.exe	30
PID 2792 wrote to memory of 2720	2792	regsvr32.exe	30
PID 1208 wrote to memory of 2576	1208	Explorer.EXE	31
PID 1208 wrote to memory of 2576	1208	Explorer.EXE	31
PID 1208 wrote to memory of 2576	1208	Explorer.EXE	31
PID 1208 wrote to memory of 2576	1208	Explorer.EXE	31
PID 1208 wrote to memory of 2716	1208	Explorer.EXE	32
PID 1208 wrote to memory of 2716	1208	Explorer.EXE	32
PID 1208 wrote to memory of 2716	1208	Explorer.EXE	32
PID 1208 wrote to memory of 2716	1208	Explorer.EXE	32
PID 1208 wrote to memory of 2464	1208	Explorer.EXE	34
PID 1208 wrote to memory of 2464	1208	Explorer.EXE	34
PID 1208 wrote to memory of 2464	1208	Explorer.EXE	34
PID 1208 wrote to memory of 2464	1208	Explorer.EXE	34
PID 1208 wrote to memory of 2900	1208	Explorer.EXE	36
PID 1208 wrote to memory of 2900	1208	Explorer.EXE	36
PID 1208 wrote to memory of 2900	1208	Explorer.EXE	36
PID 1208 wrote to memory of 2900	1208	Explorer.EXE	36
PID 2900 wrote to memory of 476	2900	F8D5.exe	37
PID 2900 wrote to memory of 476	2900	F8D5.exe	37
PID 2900 wrote to memory of 476	2900	F8D5.exe	37
PID 2900 wrote to memory of 476	2900	F8D5.exe	37
PID 476 wrote to memory of 1000	476	yiueea.exe	38
PID 476 wrote to memory of 1000	476	yiueea.exe	38
PID 476 wrote to memory of 1000	476	yiueea.exe	38
PID 476 wrote to memory of 1000	476	yiueea.exe	38
PID 476 wrote to memory of 2696	476	yiueea.exe	40
PID 476 wrote to memory of 2696	476	yiueea.exe	40
PID 476 wrote to memory of 2696	476	yiueea.exe	40
PID 476 wrote to memory of 2696	476	yiueea.exe	40
PID 2696 wrote to memory of 2736	2696	cmd.exe	42
PID 2696 wrote to memory of 2736	2696	cmd.exe	42
PID 2696 wrote to memory of 2736	2696	cmd.exe	42
PID 2696 wrote to memory of 2736	2696	cmd.exe	42
PID 2696 wrote to memory of 2692	2696	cmd.exe	43
PID 2696 wrote to memory of 2692	2696	cmd.exe	43
PID 2696 wrote to memory of 2692	2696	cmd.exe	43
PID 2696 wrote to memory of 2692	2696	cmd.exe	43
PID 2696 wrote to memory of 2480	2696	cmd.exe	44
PID 2696 wrote to memory of 2480	2696	cmd.exe	44
PID 2696 wrote to memory of 2480	2696	cmd.exe	44
PID 2696 wrote to memory of 2480	2696	cmd.exe	44
PID 2696 wrote to memory of 2988	2696	cmd.exe	45
PID 2696 wrote to memory of 2988	2696	cmd.exe	45
PID 2696 wrote to memory of 2988	2696	cmd.exe	45
PID 2696 wrote to memory of 2988	2696	cmd.exe	45
PID 2696 wrote to memory of 2288	2696	cmd.exe	46
PID 2696 wrote to memory of 2288	2696	cmd.exe	46
PID 2696 wrote to memory of 2288	2696	cmd.exe	46
PID 2696 wrote to memory of 2288	2696	cmd.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\04715d62cf6ceef23e91e164233d5ea2e82a22024fa8d5fedab310fef9f911f3.exe
  "C:\Users\Admin\AppData\Local\Temp\04715d62cf6ceef23e91e164233d5ea2e82a22024fa8d5fedab310fef9f911f3.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2520
- C:\Users\Admin\AppData\Local\Temp\EB49.exe
  C:\Users\Admin\AppData\Local\Temp\EB49.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  PID:2656
- - C:\Users\Admin\AppData\Local\Temp\EB49.exe
    C:\Users\Admin\AppData\Local\Temp\EB49.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies system certificate store
    PID:3016
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\ec10f78d-04c3-4947-9e39-c4906e532138" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      4⤵
      Modifies file permissions
      PID:2416
  - - C:\Users\Admin\AppData\Local\Temp\EB49.exe
      "C:\Users\Admin\AppData\Local\Temp\EB49.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      PID:2128
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\EEA4.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\regsvr32.exe
    /s C:\Users\Admin\AppData\Local\Temp\EEA4.dll
    3⤵
    - Loads dropped DLL
    PID:2720
- C:\Users\Admin\AppData\Local\Temp\F01B.exe
  C:\Users\Admin\AppData\Local\Temp\F01B.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\F01B.exe
    C:\Users\Admin\AppData\Local\Temp\F01B.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3068
  - - C:\Users\Admin\AppData\Local\Temp\F01B.exe
      "C:\Users\Admin\AppData\Local\Temp\F01B.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      PID:2820
    - - C:\Users\Admin\AppData\Local\Temp\F01B.exe
        
        "C:\Users\Admin\AppData\Local\Temp\F01B.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        
        PID:2732
- C:\Users\Admin\AppData\Local\Temp\F2F9.exe
  C:\Users\Admin\AppData\Local\Temp\F2F9.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\F2F9.exe
    C:\Users\Admin\AppData\Local\Temp\F2F9.exe
    3⤵
    PID:2604
  - - C:\Users\Admin\AppData\Local\Temp\F2F9.exe
      "C:\Users\Admin\AppData\Local\Temp\F2F9.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:1684
    - - C:\Users\Admin\AppData\Local\Temp\F2F9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\F2F9.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        
        PID:1048
- C:\Users\Admin\AppData\Local\Temp\F56A.exe
  C:\Users\Admin\AppData\Local\Temp\F56A.exe
  2⤵
  - Executes dropped EXE
  PID:2464
- - C:\Users\Admin\AppData\Local\Temp\F56A.exe
    C:\Users\Admin\AppData\Local\Temp\F56A.exe
    3⤵
    PID:1040
- C:\Users\Admin\AppData\Local\Temp\F8D5.exe
  C:\Users\Admin\AppData\Local\Temp\F8D5.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
    "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:476
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:1000
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2736
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "yiueea.exe" /P "Admin:N"
        5⤵
        
        PID:2692
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "yiueea.exe" /P "Admin:R" /E
        5⤵
        
        PID:2480
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2988
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\577f58beff" /P "Admin:N"
        5⤵
        
        PID:2288
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\577f58beff" /P "Admin:R" /E
        5⤵
        
        PID:1996
  - - C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe
      "C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:2368
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        5⤵
        
        PID:1720
  - - C:\Users\Admin\AppData\Local\Temp\1000069001\latestX.exe
      "C:\Users\Admin\AppData\Local\Temp\1000069001\latestX.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      PID:1016
  - - C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe
      "C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:1804
    - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        
        C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        5⤵
        
        PID:1276
  - - C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe"
      4⤵
      PID:2840
- C:\Users\Admin\AppData\Local\Temp\B0E.exe
  C:\Users\Admin\AppData\Local\Temp\B0E.exe
  2⤵
  - Executes dropped EXE
  PID:944
- - C:\Users\Admin\AppData\Local\Temp\B0E.exe
    C:\Users\Admin\AppData\Local\Temp\B0E.exe
    3⤵
    PID:2144
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\E3B.dll
  2⤵
  PID:2120
- - C:\Windows\SysWOW64\regsvr32.exe
    /s C:\Users\Admin\AppData\Local\Temp\E3B.dll
    3⤵
    - Loads dropped DLL
    PID:2208
- C:\Users\Admin\AppData\Local\Temp\F64.exe
  C:\Users\Admin\AppData\Local\Temp\F64.exe
  2⤵
  - Executes dropped EXE
  PID:1752
- - C:\Users\Admin\AppData\Local\Temp\F64.exe
    C:\Users\Admin\AppData\Local\Temp\F64.exe
    3⤵
    PID:1504
- C:\Users\Admin\AppData\Local\Temp\132C.exe
  C:\Users\Admin\AppData\Local\Temp\132C.exe
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Users\Admin\AppData\Local\Temp\15BC.exe
  C:\Users\Admin\AppData\Local\Temp\15BC.exe
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Users\Admin\AppData\Local\Temp\189B.exe
  C:\Users\Admin\AppData\Local\Temp\189B.exe
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Users\Admin\AppData\Local\Temp\1F11.exe
  C:\Users\Admin\AppData\Local\Temp\1F11.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Users\Admin\AppData\Local\Temp\25E5.exe
  C:\Users\Admin\AppData\Local\Temp\25E5.exe
  2⤵
  - Executes dropped EXE
  PID:1680
- - C:\Users\Admin\AppData\Local\Temp\25E5.exe
    C:\Users\Admin\AppData\Local\Temp\25E5.exe
    3⤵
    PID:1288
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2EAD.dll
  2⤵
  PID:2828
- - C:\Windows\SysWOW64\regsvr32.exe
    /s C:\Users\Admin\AppData\Local\Temp\2EAD.dll
    3⤵
    - Loads dropped DLL
    PID:2852
- C:\Users\Admin\AppData\Local\Temp\446F.exe
  C:\Users\Admin\AppData\Local\Temp\446F.exe
  2⤵
  - Executes dropped EXE
  PID:856
- - C:\Users\Admin\AppData\Local\Temp\446F.exe
    C:\Users\Admin\AppData\Local\Temp\446F.exe
    3⤵
    PID:1464
  - - C:\Users\Admin\AppData\Local\Temp\446F.exe
      "C:\Users\Admin\AppData\Local\Temp\446F.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:848
- C:\Users\Admin\AppData\Local\Temp\512C.exe
  C:\Users\Admin\AppData\Local\Temp\512C.exe
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Users\Admin\AppData\Local\Temp\5A80.exe
  C:\Users\Admin\AppData\Local\Temp\5A80.exe
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6126.dll
  2⤵
  PID:676
- - C:\Windows\SysWOW64\regsvr32.exe
    /s C:\Users\Admin\AppData\Local\Temp\6126.dll
    3⤵
    - Loads dropped DLL
    PID:2000
- C:\Users\Admin\AppData\Local\Temp\6471.exe
  C:\Users\Admin\AppData\Local\Temp\6471.exe
  2⤵
  - Executes dropped EXE
  PID:1468
- - C:\Users\Admin\AppData\Local\Temp\6471.exe
    C:\Users\Admin\AppData\Local\Temp\6471.exe
    3⤵
    PID:1828
- C:\Users\Admin\AppData\Local\Temp\6AB9.exe
  C:\Users\Admin\AppData\Local\Temp\6AB9.exe
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Users\Admin\AppData\Local\Temp\7268.exe
  C:\Users\Admin\AppData\Local\Temp\7268.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- - C:\Users\Admin\AppData\Local\Temp\7268.exe
    C:\Users\Admin\AppData\Local\Temp\7268.exe
    3⤵
    PID:1600
- C:\Users\Admin\AppData\Local\Temp\9331.exe
  C:\Users\Admin\AppData\Local\Temp\9331.exe
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Users\Admin\AppData\Local\Temp\9554.exe
  C:\Users\Admin\AppData\Local\Temp\9554.exe
  2⤵
  PID:1832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:1872
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:1156
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1868
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2744
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2624
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:324
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:520
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:2632
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:2944
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:2132
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:2372
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:1292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:1936
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1296
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:2772
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:2560
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1504
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2804
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2676
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2416
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Executes dropped EXE
  PID:1832
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:2472
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:1712
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:872
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:2960
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:1828
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:3000
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:1664
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:2856

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1977705387849452570641406233-1661950655440144157158144668-1075244541235205927"
1⤵
- Executes dropped EXE
PID:2840

C:\Windows\system32\taskeng.exe
taskeng.exe {DDB5BF8C-0A16-4CC6-AAB0-8953F2182FC2} S-1-5-21-3185155662-718608226-894467740-1000:YETUIZPU\Admin:Interactive:[1]
1⤵
PID:2740
- C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
  C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
  2⤵
  PID:1428
- C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
  C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
  2⤵
  PID:2572
- C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
  C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
  2⤵
  PID:2676

C:\Windows\system32\taskeng.exe
taskeng.exe {C94AEEF2-D8D8-499E-8124-E1C6C798E4A6} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2276
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

File and Directory Permissions Modification

Impair Defenses

Modify Registry

Scripting

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery