asyncrat | 48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Windows security bypass 2 TTPs 2 IoCs

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0"	svchost.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	svchost.exe

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	svchost.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2896	svchost.exe

Windows security modification 2 TTPs 3 IoCs

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0"	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	pastebin.com
2	pastebin.com

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2896 set thread context of 1540	2896	svchost.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3704	schtasks.exe

Delays execution with timeout.exe 1 IoCs

pid	Process
2740	timeout.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
4932	48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1.exe
4932	48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1.exe
4932	48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1.exe
4932	48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1.exe
4932	48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1.exe
4932	48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1.exe
4932	48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1.exe
4932	48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1.exe
4932	48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1.exe
4932	48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1.exe
4932	48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1.exe
4932	48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1.exe
4932	48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1.exe
4932	48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1.exe
4932	48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1.exe
4932	48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1.exe
4932	48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1.exe
4932	48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1.exe
4932	48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1.exe
4992	powershell.exe
4992	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4932	48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1.exe
Token: SeDebugPrivilege	2896	svchost.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	1540	regsvcs.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 3860	4932	48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1.exe	80
PID 4932 wrote to memory of 3860	4932	48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1.exe	80
PID 4932 wrote to memory of 3828	4932	48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1.exe	82
PID 4932 wrote to memory of 3828	4932	48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1.exe	82
PID 3860 wrote to memory of 3704	3860	cmd.exe	84
PID 3860 wrote to memory of 3704	3860	cmd.exe	84
PID 3828 wrote to memory of 2740	3828	cmd.exe	85
PID 3828 wrote to memory of 2740	3828	cmd.exe	85
PID 3828 wrote to memory of 2896	3828	cmd.exe	86
PID 3828 wrote to memory of 2896	3828	cmd.exe	86
PID 2896 wrote to memory of 4992	2896	svchost.exe	88
PID 2896 wrote to memory of 4992	2896	svchost.exe	88
PID 2896 wrote to memory of 1540	2896	svchost.exe	90
PID 2896 wrote to memory of 1540	2896	svchost.exe	90
PID 2896 wrote to memory of 1540	2896	svchost.exe	90
PID 2896 wrote to memory of 1540	2896	svchost.exe	90
PID 2896 wrote to memory of 1540	2896	svchost.exe	90
PID 2896 wrote to memory of 1540	2896	svchost.exe	90
PID 2896 wrote to memory of 1540	2896	svchost.exe	90
PID 2896 wrote to memory of 1540	2896	svchost.exe	90
PID 2896 wrote to memory of 3428	2896	svchost.exe	91
PID 2896 wrote to memory of 3428	2896	svchost.exe	91
PID 2896 wrote to memory of 3428	2896	svchost.exe	91

System policy modification 1 TTPs 1 IoCs

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1.exe
"C:\Users\Admin\AppData\Local\Temp\48cd145349ebdb8a3728c8c55b9e5a59df2ee7676a847afa340d7f88ae24cfd1.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3860
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:3704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp60FC.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2740
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - UAC bypass
    - Windows security bypass
    - Looks for VirtualBox Guest Additions in registry
    - Looks for VMWare Tools registry key
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Windows security modification
    - Checks whether UAC is enabled
    - Maps connected drives based on registry
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2896
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4992
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1540
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
      4⤵
      PID:3428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

3

T1562

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

2

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

4

Virtualization/Sandbox Evasion

2

Lateral Movement

Collection

Command and Control

Web Service