ae14b287be4c2cb072802d65693beeb9efecefd6e6de5994abe49546b8ca0308

Virtualization/Sandbox Evasion

T1497

Processes:

tmp.exeO.exeO.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	O.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	O.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

tmp.exeO.exeO.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	O.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	O.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	O.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	O.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tmp.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

tmp.exeO.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	O.exe

Executes dropped EXE 2 IoCs

Processes:

O.exeO.exe

pid process

4252 O.exe
4212 O.exe

pid	process
4252	O.exe
4212	O.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

Processes:

tmp.exeO.exeO.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	tmp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	O.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	O.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

tmp.exeO.exeO.exe

pid process

5088 tmp.exe
4252 O.exe
4212 O.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3036 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3252 timeout.exe

pid	process
5088	tmp.exe
4252	O.exe
4212	O.exe

pid	process
3036	schtasks.exe

pid	process
3252	timeout.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

tmp.execmd.exeO.exe

description	pid	process	target process
PID 5088 wrote to memory of 4200	5088	tmp.exe	cmd.exe
PID 5088 wrote to memory of 4200	5088	tmp.exe	cmd.exe
PID 5088 wrote to memory of 4200	5088	tmp.exe	cmd.exe
PID 4200 wrote to memory of 3252	4200	cmd.exe	timeout.exe
PID 4200 wrote to memory of 3252	4200	cmd.exe	timeout.exe
PID 4200 wrote to memory of 3252	4200	cmd.exe	timeout.exe
PID 4200 wrote to memory of 4252	4200	cmd.exe	O.exe
PID 4200 wrote to memory of 4252	4200	cmd.exe	O.exe
PID 4200 wrote to memory of 4252	4200	cmd.exe	O.exe
PID 4252 wrote to memory of 3036	4252	O.exe	schtasks.exe
PID 4252 wrote to memory of 3036	4252	O.exe	schtasks.exe
PID 4252 wrote to memory of 3036	4252	O.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s3xc.0.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4200
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3252
- - C:\ProgramData\Roaming\O.exe
    "C:\ProgramData\Roaming\O.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:4252
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "O" /tr C:\ProgramData\Roaming\O.exe /f
      4⤵
      Creates scheduled task(s)
      PID:3036

C:\ProgramData\Roaming\O.exe
C:\ProgramData\Roaming\O.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

3

System Information Discovery

4

Virtualization/Sandbox Evasion