djvu | e750bc258035f76c7e4c1a1819434f0fd6c7eaaa49567900439e487b45721ef1

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	setup.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1792	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 29 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/3368-0-0x00007FF7E7A70000-0x00007FF7E82F5000-memory.dmp	themida
behavioral2/memory/3368-1-0x00007FF7E7A70000-0x00007FF7E82F5000-memory.dmp	themida
behavioral2/memory/3368-2-0x00007FF7E7A70000-0x00007FF7E82F5000-memory.dmp	themida
behavioral2/memory/3368-3-0x00007FF7E7A70000-0x00007FF7E82F5000-memory.dmp	themida
behavioral2/memory/3368-4-0x00007FF7E7A70000-0x00007FF7E82F5000-memory.dmp	themida
behavioral2/memory/3368-5-0x00007FF7E7A70000-0x00007FF7E82F5000-memory.dmp	themida
behavioral2/memory/3368-6-0x00007FF7E7A70000-0x00007FF7E82F5000-memory.dmp	themida
behavioral2/memory/3368-7-0x00007FF7E7A70000-0x00007FF7E82F5000-memory.dmp	themida
behavioral2/memory/3368-8-0x00007FF7E7A70000-0x00007FF7E82F5000-memory.dmp	themida
behavioral2/memory/3368-9-0x00007FF7E7A70000-0x00007FF7E82F5000-memory.dmp	themida
behavioral2/memory/3368-18-0x00007FF7E7A70000-0x00007FF7E82F5000-memory.dmp	themida
behavioral2/memory/3368-58-0x00007FF7E7A70000-0x00007FF7E82F5000-memory.dmp	themida
behavioral2/memory/3368-96-0x00007FF7E7A70000-0x00007FF7E82F5000-memory.dmp	themida
behavioral2/memory/3368-139-0x00007FF7E7A70000-0x00007FF7E82F5000-memory.dmp	themida
behavioral2/files/0x0006000000023258-355.dat	themida
behavioral2/files/0x0006000000023258-544.dat	themida
behavioral2/files/0x0006000000023258-538.dat	themida
behavioral2/memory/3064-564-0x0000000000E90000-0x0000000001C2A000-memory.dmp	themida
behavioral2/memory/3368-779-0x00007FF7E7A70000-0x00007FF7E82F5000-memory.dmp	themida
behavioral2/memory/3064-780-0x0000000000E90000-0x0000000001C2A000-memory.dmp	themida
behavioral2/memory/3064-795-0x0000000000E90000-0x0000000001C2A000-memory.dmp	themida
behavioral2/memory/3064-798-0x0000000000E90000-0x0000000001C2A000-memory.dmp	themida
behavioral2/memory/3368-806-0x00007FF7E7A70000-0x00007FF7E82F5000-memory.dmp	themida
behavioral2/memory/3064-792-0x0000000000E90000-0x0000000001C2A000-memory.dmp	themida
behavioral2/memory/3064-786-0x0000000000E90000-0x0000000001C2A000-memory.dmp	themida
behavioral2/memory/3064-783-0x0000000000E90000-0x0000000001C2A000-memory.dmp	themida
behavioral2/memory/3064-776-0x0000000000E90000-0x0000000001C2A000-memory.dmp	themida
behavioral2/memory/3064-713-0x0000000000E90000-0x0000000001C2A000-memory.dmp	themida
behavioral2/memory/3064-870-0x0000000000E90000-0x0000000001C2A000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	ipinfo.io
28	ipinfo.io
12	api.myip.com
15	api.myip.com
26	api.myip.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	setup.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	setup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3368	setup.exe

Program crash 11 IoCs

pid	pid_target	Process	procid_target
4276	3520	WerFault.exe	97
3432	3964	WerFault.exe	120
1056	3976	WerFault.exe	135
912	1452	WerFault.exe	139
3520	2984	WerFault.exe	140
4836	772	WerFault.exe	108
4444	2612	WerFault.exe	148
1792	2668	WerFault.exe	154
1012	792	WerFault.exe	157
3548	936	WerFault.exe	160
2896	1952	WerFault.exe	163

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
5060	schtasks.exe
2164	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4840	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3368	setup.exe
3368	setup.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3368
- C:\Users\Admin\Documents\GuardFox\KTbSxtD63_LRdeCNEVK0foxW.exe
  "C:\Users\Admin\Documents\GuardFox\KTbSxtD63_LRdeCNEVK0foxW.exe"
  2⤵
  PID:1492
- - C:\Users\Admin\AppData\Local\Temp\is-ITKK5.tmp\KTbSxtD63_LRdeCNEVK0foxW.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-ITKK5.tmp\KTbSxtD63_LRdeCNEVK0foxW.tmp" /SL5="$501DA,6180089,109568,C:\Users\Admin\Documents\GuardFox\KTbSxtD63_LRdeCNEVK0foxW.exe"
    3⤵
    PID:3508
  - - C:\Program Files (x86)\QtLinkMaster\qtlinkmaster.exe
      "C:\Program Files (x86)\QtLinkMaster\qtlinkmaster.exe" -i
      4⤵
      PID:1452
  - - C:\Program Files (x86)\QtLinkMaster\qtlinkmaster.exe
      "C:\Program Files (x86)\QtLinkMaster\qtlinkmaster.exe" -s
      4⤵
      PID:5024
- C:\Users\Admin\Documents\GuardFox\T6bsGFQYiCavgyr9Qo_2JS62.exe
  "C:\Users\Admin\Documents\GuardFox\T6bsGFQYiCavgyr9Qo_2JS62.exe"
  2⤵
  PID:3788
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\iDtxXnOU.CPL",
    3⤵
    PID:2764
- C:\Users\Admin\Documents\GuardFox\TjUmVfHIJ058saHeZL4iPfFM.exe
  "C:\Users\Admin\Documents\GuardFox\TjUmVfHIJ058saHeZL4iPfFM.exe"
  2⤵
  PID:3520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 1232
    3⤵
    - Program crash
    PID:4276
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\Documents\GuardFox\TjUmVfHIJ058saHeZL4iPfFM.exe"
    3⤵
    PID:2708
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 3
      4⤵
      Runs ping.exe
      PID:4840
- - C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe
    C:\Users\Admin\AppData\Local\Temp\wfplwfs.exe
    3⤵
    PID:1112
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:3964
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 1716
        5⤵
        Program crash
        
        PID:3432
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:3976
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 1724
        5⤵
        Program crash
        
        PID:1056
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:2984
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 1720
        5⤵
        Program crash
        
        PID:3520
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:3512
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:2612
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 1720
        5⤵
        Program crash
        
        PID:4444
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:2668
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 1716
        5⤵
        Program crash
        
        PID:1792
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:792
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 792 -s 1724
        5⤵
        Program crash
        
        PID:1012
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:936
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 1716
        5⤵
        Program crash
        
        PID:3548
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:1952
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1952 -s 1724
        5⤵
        Program crash
        
        PID:2896
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:4776
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe
      4⤵
      PID:720
- C:\Users\Admin\Documents\GuardFox\gUAhbH4AF3M84iRRtvI3L34c.exe
  "C:\Users\Admin\Documents\GuardFox\gUAhbH4AF3M84iRRtvI3L34c.exe"
  2⤵
  PID:4500
- - C:\Users\Admin\Documents\GuardFox\gUAhbH4AF3M84iRRtvI3L34c.exe
    "C:\Users\Admin\Documents\GuardFox\gUAhbH4AF3M84iRRtvI3L34c.exe"
    3⤵
    PID:4056
  - - C:\Users\Admin\Documents\GuardFox\gUAhbH4AF3M84iRRtvI3L34c.exe
      "C:\Users\Admin\Documents\GuardFox\gUAhbH4AF3M84iRRtvI3L34c.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:544
    - - C:\Users\Admin\Documents\GuardFox\gUAhbH4AF3M84iRRtvI3L34c.exe
        
        "C:\Users\Admin\Documents\GuardFox\gUAhbH4AF3M84iRRtvI3L34c.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        
        PID:1452
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 584
        6⤵
        Program crash
        
        PID:912
- C:\Users\Admin\Documents\GuardFox\YZ_TqBvSYKwtX24ajASzXxYw.exe
  "C:\Users\Admin\Documents\GuardFox\YZ_TqBvSYKwtX24ajASzXxYw.exe"
  2⤵
  PID:452
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:5060
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2164
- C:\Users\Admin\Documents\GuardFox\kFKV0jcoc_jXrCy7ITBTLY1z.exe
  "C:\Users\Admin\Documents\GuardFox\kFKV0jcoc_jXrCy7ITBTLY1z.exe"
  2⤵
  PID:3064
- C:\Users\Admin\Documents\GuardFox\_zSVoK97nu9W1XZGKR4JrL9Y.exe
  "C:\Users\Admin\Documents\GuardFox\_zSVoK97nu9W1XZGKR4JrL9Y.exe"
  2⤵
  PID:740
- C:\Users\Admin\Documents\GuardFox\k_dhcqlzuMivoBewgIOaumlI.exe
  "C:\Users\Admin\Documents\GuardFox\k_dhcqlzuMivoBewgIOaumlI.exe"
  2⤵
  PID:4796
- C:\Users\Admin\Documents\GuardFox\52UuxABLktVzA_AIXhdDNcqm.exe
  "C:\Users\Admin\Documents\GuardFox\52UuxABLktVzA_AIXhdDNcqm.exe"
  2⤵
  PID:4592
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2760
- C:\Users\Admin\Documents\GuardFox\7SwLOxlsNz_4Ld_8bs_N30Cf.exe
  "C:\Users\Admin\Documents\GuardFox\7SwLOxlsNz_4Ld_8bs_N30Cf.exe"
  2⤵
  PID:1468
- C:\Users\Admin\Documents\GuardFox\7CZAll1tzE676caXRLLYl9tA.exe
  "C:\Users\Admin\Documents\GuardFox\7CZAll1tzE676caXRLLYl9tA.exe"
  2⤵
  PID:772
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 1328
    3⤵
    - Program crash
    PID:4836
- C:\Users\Admin\Documents\GuardFox\rzIP5OFSBe15fY7o1N3xniUp.exe
  "C:\Users\Admin\Documents\GuardFox\rzIP5OFSBe15fY7o1N3xniUp.exe"
  2⤵
  PID:872
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3420
- C:\Users\Admin\Documents\GuardFox\V1dMdIGAW0HzkhzMFxspEMJj.exe
  "C:\Users\Admin\Documents\GuardFox\V1dMdIGAW0HzkhzMFxspEMJj.exe"
  2⤵
  PID:3924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3520 -ip 3520
1⤵
PID:1504

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\c3456850-419c-44be-a3c9-061b9cb3af8b" /deny *S-1-1-0:(OI)(CI)(DE,DC)
1⤵
- Modifies file permissions
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3964 -ip 3964
1⤵
PID:2196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2304

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\iDtxXnOU.CPL",
1⤵
PID:624
- C:\Windows\system32\RunDll32.exe
  C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\iDtxXnOU.CPL",
  2⤵
  PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3976 -ip 3976
1⤵
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1452 -ip 1452
1⤵
PID:3756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2984 -ip 2984
1⤵
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 772 -ip 772
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2612 -ip 2612
1⤵
PID:724

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\iDtxXnOU.CPL",
1⤵
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2668 -ip 2668
1⤵
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 792 -ip 792
1⤵
PID:2596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 936 -ip 936
1⤵
PID:3464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1952 -ip 1952
1⤵
PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

File and Directory Permissions Modification

T1222

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

Remote System Discovery

T1018

System Information Discovery