blacknet | e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a

Windows Service

T1543.003

Disable or Modify Tools

Processes:

furz.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	furz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	furz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	furz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	furz.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

Processes:

reg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2560	cmd.exe

Executes dropped EXE 5 IoCs

Processes:

furz.exeUacTest.exeInpwdja.exeMnrjvryib.exeWindowsUpdate.exe

pid	Process
1880	furz.exe
768	UacTest.exe
556	Inpwdja.exe
2632	Mnrjvryib.exe
1444	WindowsUpdate.exe

Loads dropped DLL 6 IoCs

Processes:

97cb3fda3cff430377a866d6b437de8f.exeUacTest.exe

pid	Process
2712	97cb3fda3cff430377a866d6b437de8f.exe
2712	97cb3fda3cff430377a866d6b437de8f.exe
768	UacTest.exe
768	UacTest.exe
768	UacTest.exe
768	UacTest.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

Modify Registry

Processes:

furz.exeWindowsUpdate.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	furz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	WindowsUpdate.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

97cb3fda3cff430377a866d6b437de8f.exefurz.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update Folder\\Windows Update.exe"	97cb3fda3cff430377a866d6b437de8f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\e162b1333458a713bc6916cc8ac4110c = "C:\\Windows\\Microsoft\\MyClient\\WindowsUpdate.exe"	furz.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

97cb3fda3cff430377a866d6b437de8f.exe

description	pid	Process	procid_target
PID 1064 set thread context of 2712	1064	97cb3fda3cff430377a866d6b437de8f.exe	28

Drops file in Windows directory 2 IoCs

Processes:

furz.exe

description	ioc	Process
File created	C:\Windows\Microsoft\MyClient\WindowsUpdate.exe	furz.exe
File opened for modification	C:\Windows\Microsoft\MyClient\WindowsUpdate.exe	furz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

Processes:

schtasks.exe

pid	Process
2372	schtasks.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
2236	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

Processes:

reg.exe

pid	Process
2232	reg.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXE

pid	Process
2044	PING.EXE
588	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

97cb3fda3cff430377a866d6b437de8f.exefurz.exepowershell.exe

pid	Process
2712	97cb3fda3cff430377a866d6b437de8f.exe
2712	97cb3fda3cff430377a866d6b437de8f.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1292	powershell.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe
1880	furz.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

97cb3fda3cff430377a866d6b437de8f.exetaskkill.exefurz.exepowershell.exeWindowsUpdate.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2712	97cb3fda3cff430377a866d6b437de8f.exe
Token: SeDebugPrivilege	2236	taskkill.exe
Token: SeDebugPrivilege	1880	furz.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	1444	WindowsUpdate.exe
Token: SeDebugPrivilege	900	powershell.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

furz.exeWindowsUpdate.exe

pid	Process
1880	furz.exe
1880	furz.exe
1880	furz.exe
1444	WindowsUpdate.exe
1444	WindowsUpdate.exe
1444	WindowsUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

97cb3fda3cff430377a866d6b437de8f.exe97cb3fda3cff430377a866d6b437de8f.execmd.exeUacTest.exeInpwdja.exeMnrjvryib.execmd.execmd.execmd.exefurz.exe

description	pid	Process	procid_target
PID 1064 wrote to memory of 2712	1064	97cb3fda3cff430377a866d6b437de8f.exe	28
PID 1064 wrote to memory of 2712	1064	97cb3fda3cff430377a866d6b437de8f.exe	28
PID 1064 wrote to memory of 2712	1064	97cb3fda3cff430377a866d6b437de8f.exe	28
PID 1064 wrote to memory of 2712	1064	97cb3fda3cff430377a866d6b437de8f.exe	28
PID 1064 wrote to memory of 2712	1064	97cb3fda3cff430377a866d6b437de8f.exe	28
PID 1064 wrote to memory of 2712	1064	97cb3fda3cff430377a866d6b437de8f.exe	28
PID 1064 wrote to memory of 2712	1064	97cb3fda3cff430377a866d6b437de8f.exe	28
PID 1064 wrote to memory of 2712	1064	97cb3fda3cff430377a866d6b437de8f.exe	28
PID 1064 wrote to memory of 2712	1064	97cb3fda3cff430377a866d6b437de8f.exe	28
PID 2712 wrote to memory of 1880	2712	97cb3fda3cff430377a866d6b437de8f.exe	29
PID 2712 wrote to memory of 1880	2712	97cb3fda3cff430377a866d6b437de8f.exe	29
PID 2712 wrote to memory of 1880	2712	97cb3fda3cff430377a866d6b437de8f.exe	29
PID 2712 wrote to memory of 1880	2712	97cb3fda3cff430377a866d6b437de8f.exe	29
PID 2712 wrote to memory of 768	2712	97cb3fda3cff430377a866d6b437de8f.exe	30
PID 2712 wrote to memory of 768	2712	97cb3fda3cff430377a866d6b437de8f.exe	30
PID 2712 wrote to memory of 768	2712	97cb3fda3cff430377a866d6b437de8f.exe	30
PID 2712 wrote to memory of 768	2712	97cb3fda3cff430377a866d6b437de8f.exe	30
PID 2712 wrote to memory of 2560	2712	97cb3fda3cff430377a866d6b437de8f.exe	31
PID 2712 wrote to memory of 2560	2712	97cb3fda3cff430377a866d6b437de8f.exe	31
PID 2712 wrote to memory of 2560	2712	97cb3fda3cff430377a866d6b437de8f.exe	31
PID 2712 wrote to memory of 2560	2712	97cb3fda3cff430377a866d6b437de8f.exe	31
PID 2560 wrote to memory of 2044	2560	cmd.exe	33
PID 2560 wrote to memory of 2044	2560	cmd.exe	33
PID 2560 wrote to memory of 2044	2560	cmd.exe	33
PID 2560 wrote to memory of 2044	2560	cmd.exe	33
PID 2560 wrote to memory of 588	2560	cmd.exe	34
PID 2560 wrote to memory of 588	2560	cmd.exe	34
PID 2560 wrote to memory of 588	2560	cmd.exe	34
PID 2560 wrote to memory of 588	2560	cmd.exe	34
PID 768 wrote to memory of 556	768	UacTest.exe	35
PID 768 wrote to memory of 556	768	UacTest.exe	35
PID 768 wrote to memory of 556	768	UacTest.exe	35
PID 768 wrote to memory of 556	768	UacTest.exe	35
PID 768 wrote to memory of 2632	768	UacTest.exe	37
PID 768 wrote to memory of 2632	768	UacTest.exe	37
PID 768 wrote to memory of 2632	768	UacTest.exe	37
PID 768 wrote to memory of 2632	768	UacTest.exe	37
PID 556 wrote to memory of 2660	556	Inpwdja.exe	39
PID 556 wrote to memory of 2660	556	Inpwdja.exe	39
PID 556 wrote to memory of 2660	556	Inpwdja.exe	39
PID 556 wrote to memory of 2660	556	Inpwdja.exe	39
PID 2632 wrote to memory of 1952	2632	Mnrjvryib.exe	41
PID 2632 wrote to memory of 1952	2632	Mnrjvryib.exe	41
PID 2632 wrote to memory of 1952	2632	Mnrjvryib.exe	41
PID 2632 wrote to memory of 1952	2632	Mnrjvryib.exe	41
PID 2660 wrote to memory of 2400	2660	cmd.exe	40
PID 2660 wrote to memory of 2400	2660	cmd.exe	40
PID 2660 wrote to memory of 2400	2660	cmd.exe	40
PID 2400 wrote to memory of 2232	2400	cmd.exe	42
PID 2400 wrote to memory of 2232	2400	cmd.exe	42
PID 2400 wrote to memory of 2232	2400	cmd.exe	42
PID 1952 wrote to memory of 2236	1952	cmd.exe	43
PID 1952 wrote to memory of 2236	1952	cmd.exe	43
PID 1952 wrote to memory of 2236	1952	cmd.exe	43
PID 1952 wrote to memory of 2236	1952	cmd.exe	43
PID 1880 wrote to memory of 1292	1880	furz.exe	45
PID 1880 wrote to memory of 1292	1880	furz.exe	45
PID 1880 wrote to memory of 1292	1880	furz.exe	45
PID 1880 wrote to memory of 1720	1880	furz.exe	47
PID 1880 wrote to memory of 1720	1880	furz.exe	47
PID 1880 wrote to memory of 1720	1880	furz.exe	47
PID 1880 wrote to memory of 1444	1880	furz.exe	49
PID 1880 wrote to memory of 1444	1880	furz.exe	49
PID 1880 wrote to memory of 1444	1880	furz.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\97cb3fda3cff430377a866d6b437de8f.exe
"C:\Users\Admin\AppData\Local\Temp\97cb3fda3cff430377a866d6b437de8f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Local\Temp\97cb3fda3cff430377a866d6b437de8f.exe
  "C:\Users\Admin\AppData\Local\Temp\97cb3fda3cff430377a866d6b437de8f.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Users\Admin\AppData\Local\Temp\furz.exe
    "C:\Users\Admin\AppData\Local\Temp\furz.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1880
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1292
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /delete /tn "WindowsUpdate.exe" /f
      4⤵
      PID:1720
  - - C:\Windows\Microsoft\MyClient\WindowsUpdate.exe
      "C:\Windows\Microsoft\MyClient\WindowsUpdate.exe"
      4⤵
      Executes dropped EXE
      Windows security modification
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /delete /tn "WindowsUpdate.exe" /f
        5⤵
        
        PID:1704
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1444 -s 1052
        5⤵
        
        PID:2832
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "WindowsUpdate.exe" /sc ONLOGON /tr "C:\Windows\WindowsUpdate.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:2372
- - C:\Users\Admin\AppData\Local\Temp\UacTest.exe
    "C:\Users\Admin\AppData\Local\Temp\UacTest.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Users\Admin\AppData\Local\Temp\Inpwdja.exe
      "C:\Users\Admin\AppData\Local\Temp\Inpwdja.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:556
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\80A5.tmp\80A6.tmp\80A7.bat C:\Users\Admin\AppData\Local\Temp\Inpwdja.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - C:\Windows\System32\cmd.exe
        
        C:\Windows\System32\cmd.exe /k C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        7⤵
        UAC bypass
        Modifies registry key
        
        PID:2232
  - - C:\Users\Admin\AppData\Local\Temp\Mnrjvryib.exe
      "C:\Users\Admin\AppData\Local\Temp\Mnrjvryib.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\80B4.tmp\80B5.tmp\80B6.bat C:\Users\Admin\AppData\Local\Temp\Mnrjvryib.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1952
      - C:\Windows\SysWOW64\taskkill.exe
        
        Taskkill /IM cmd.exe /F
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 100 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\97cb3fda3cff430377a866d6b437de8f.exe"& ping 1.1.1.1 -n 1 -w 900 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\97cb3fda3cff430377a866d6b437de8f.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 100
      4⤵
      Runs ping.exe
      PID:2044
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 900
      4⤵
      Runs ping.exe
      PID:588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry