zgrat | a5b0d190fc09cd5c1ea07fa6b12a7dd4ab5f517c778fb60e4e14060e00ddecc8

Virtualization/Sandbox Evasion

Processes:

iylyvsu.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	iylyvsu.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	svchost.exe

Downloads MZ/PE file

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

iylyvsu.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	iylyvsu.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	svchost.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

iylyvsu.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	iylyvsu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	iylyvsu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

iylyvsu.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	iylyvsu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	svchost.exe

Executes dropped EXE 3 IoCs

Processes:

Target.exeiylyvsu.exesvchost.exe

pid process

3700 Target.exe
2236 iylyvsu.exe
2828 svchost.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3480-55-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3480-56-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3480-57-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0"	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

iylyvsu.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\""	iylyvsu.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

svchost.exeiylyvsu.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	iylyvsu.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	iylyvsu.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

svchost.exeexplorer.exe

description	pid	process	target process
PID 2828 set thread context of 3056	2828	svchost.exe	explorer.exe
PID 3056 set thread context of 3480	3056	explorer.exe	conhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2900 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2132 timeout.exe

pid	process
2900	schtasks.exe

pid	process
2132	timeout.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

Target.exeiylyvsu.exepowershell.exeexplorer.exe

pid	process
3700	Target.exe
3700	Target.exe
3700	Target.exe
3700	Target.exe
3700	Target.exe
2236	iylyvsu.exe
2236	iylyvsu.exe
2236	iylyvsu.exe
2236	iylyvsu.exe
2236	iylyvsu.exe
2236	iylyvsu.exe
2236	iylyvsu.exe
2236	iylyvsu.exe
2236	iylyvsu.exe
2236	iylyvsu.exe
2236	iylyvsu.exe
2236	iylyvsu.exe
2236	iylyvsu.exe
2236	iylyvsu.exe
2236	iylyvsu.exe
2236	iylyvsu.exe
2236	iylyvsu.exe
2236	iylyvsu.exe
2236	iylyvsu.exe
2236	iylyvsu.exe
2236	iylyvsu.exe
2236	iylyvsu.exe
2236	iylyvsu.exe
2236	iylyvsu.exe
3712	powershell.exe
3712	powershell.exe
3712	powershell.exe
3056	explorer.exe
3056	explorer.exe
3056	explorer.exe
3056	explorer.exe
3056	explorer.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

Fzonsvup.exeTarget.exeiylyvsu.exesvchost.exepowershell.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	1020	Fzonsvup.exe
Token: SeDebugPrivilege	3700	Target.exe
Token: SeDebugPrivilege	2236	iylyvsu.exe
Token: SeDebugPrivilege	2828	svchost.exe
Token: SeDebugPrivilege	3712	powershell.exe
Token: SeShutdownPrivilege	4496	powercfg.exe
Token: SeCreatePagefilePrivilege	4496	powercfg.exe
Token: SeShutdownPrivilege	5056	powercfg.exe
Token: SeCreatePagefilePrivilege	5056	powercfg.exe
Token: SeShutdownPrivilege	3704	powercfg.exe
Token: SeCreatePagefilePrivilege	3704	powercfg.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

Target.exeiylyvsu.execmd.execmd.exesvchost.exeexplorer.exe

description	pid	process	target process
PID 3700 wrote to memory of 2236	3700	Target.exe	iylyvsu.exe
PID 3700 wrote to memory of 2236	3700	Target.exe	iylyvsu.exe
PID 2236 wrote to memory of 4968	2236	iylyvsu.exe	cmd.exe
PID 2236 wrote to memory of 4968	2236	iylyvsu.exe	cmd.exe
PID 2236 wrote to memory of 4008	2236	iylyvsu.exe	cmd.exe
PID 2236 wrote to memory of 4008	2236	iylyvsu.exe	cmd.exe
PID 4008 wrote to memory of 2132	4008	cmd.exe	timeout.exe
PID 4008 wrote to memory of 2132	4008	cmd.exe	timeout.exe
PID 4968 wrote to memory of 2900	4968	cmd.exe	schtasks.exe
PID 4968 wrote to memory of 2900	4968	cmd.exe	schtasks.exe
PID 4008 wrote to memory of 2828	4008	cmd.exe	svchost.exe
PID 4008 wrote to memory of 2828	4008	cmd.exe	svchost.exe
PID 2828 wrote to memory of 3712	2828	svchost.exe	powershell.exe
PID 2828 wrote to memory of 3712	2828	svchost.exe	powershell.exe
PID 2828 wrote to memory of 3056	2828	svchost.exe	explorer.exe
PID 2828 wrote to memory of 3056	2828	svchost.exe	explorer.exe
PID 2828 wrote to memory of 3056	2828	svchost.exe	explorer.exe
PID 2828 wrote to memory of 3056	2828	svchost.exe	explorer.exe
PID 2828 wrote to memory of 3056	2828	svchost.exe	explorer.exe
PID 2828 wrote to memory of 3056	2828	svchost.exe	explorer.exe
PID 2828 wrote to memory of 3056	2828	svchost.exe	explorer.exe
PID 2828 wrote to memory of 3056	2828	svchost.exe	explorer.exe
PID 2828 wrote to memory of 3056	2828	svchost.exe	explorer.exe
PID 2828 wrote to memory of 3056	2828	svchost.exe	explorer.exe
PID 2828 wrote to memory of 3056	2828	svchost.exe	explorer.exe
PID 2828 wrote to memory of 3056	2828	svchost.exe	explorer.exe
PID 3056 wrote to memory of 3480	3056	explorer.exe	conhost.exe
PID 3056 wrote to memory of 3480	3056	explorer.exe	conhost.exe
PID 3056 wrote to memory of 3480	3056	explorer.exe	conhost.exe
PID 3056 wrote to memory of 3480	3056	explorer.exe	conhost.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

svchost.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

C:\Users\Admin\AppData\Local\Temp\Fzonsvup.exe
"C:\Users\Admin\AppData\Local\Temp\Fzonsvup.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Users\Admin\AppData\Roaming\IsFixedSize\Target.exe
C:\Users\Admin\AppData\Roaming\IsFixedSize\Target.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3700
- C:\Users\Admin\AppData\Local\Temp\iylyvsu.exe
  "C:\Users\Admin\AppData\Local\Temp\iylyvsu.exe"
  2⤵
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4968
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
      4⤵
      Creates scheduled task(s)
      PID:2900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE05.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4008
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2132
  - - C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      UAC bypass
      Windows security bypass
      Looks for VirtualBox Guest Additions in registry
      Looks for VMWare Tools registry key
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Windows security modification
      Checks whether UAC is enabled
      Maps connected drives based on registry
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3712
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3056
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4496
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5056
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3704
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        6⤵
        
        PID:3408
      - C:\Windows\system32\conhost.exe
        
        conhost.exe
        6⤵
        
        PID:3480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

3

T1562

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

2

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

5

Virtualization/Sandbox Evasion

2