5a7eccf9dd4b02b2b134ac0acf10d6db32a3e5778455d81750f8827571c9100e

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosdate	svchost.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2308-0-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aaaaaaaa = "C:\\Windows\\System32\\aaaaaaaa.exe"	3cc459c79a91b295877528ada8f56c56.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\aaaaaaaa = "C:\\Users\\Admin\\aaaaaaaa.exe"	3cc459c79a91b295877528ada8f56c56.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\aaaaaaaa.exe	3cc459c79a91b295877528ada8f56c56.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2308 set thread context of 2580	2308	3cc459c79a91b295877528ada8f56c56.exe	29

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate	svchost.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2580	2308	3cc459c79a91b295877528ada8f56c56.exe	29
PID 2308 wrote to memory of 2580	2308	3cc459c79a91b295877528ada8f56c56.exe	29
PID 2308 wrote to memory of 2580	2308	3cc459c79a91b295877528ada8f56c56.exe	29
PID 2308 wrote to memory of 2580	2308	3cc459c79a91b295877528ada8f56c56.exe	29
PID 2308 wrote to memory of 2580	2308	3cc459c79a91b295877528ada8f56c56.exe	29
PID 2308 wrote to memory of 2580	2308	3cc459c79a91b295877528ada8f56c56.exe	29
PID 2308 wrote to memory of 2580	2308	3cc459c79a91b295877528ada8f56c56.exe	29
PID 2308 wrote to memory of 2580	2308	3cc459c79a91b295877528ada8f56c56.exe	29
PID 2308 wrote to memory of 2580	2308	3cc459c79a91b295877528ada8f56c56.exe	29

C:\Users\Admin\AppData\Local\Temp\3cc459c79a91b295877528ada8f56c56.exe
"C:\Users\Admin\AppData\Local\Temp\3cc459c79a91b295877528ada8f56c56.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\System32\svchost.exe
  2⤵
  - Checks BIOS information in registry
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

3

System Information Discovery

3