c2b9998b798219e8966f25a04411b3910ca1b2901ac8e5e1fde29950264cc6e0

Virtualization/Sandbox Evasion

Processes:

INSITE 8.7 Pro.exeINSITE 8.7 Pro.exeINSITE 8.7 Pro.exeINSITE 8.7 Pro.exeINSITE 8.7 Pro.exeINSITE 8.7 Pro.exeINSITE 8.7 Pro.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	INSITE 8.7 Pro.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	INSITE 8.7 Pro.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	INSITE 8.7 Pro.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	INSITE 8.7 Pro.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	INSITE 8.7 Pro.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	INSITE 8.7 Pro.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	INSITE 8.7 Pro.exe

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

Processes:

INSITE 8.7 Pro.exeINSITE 8.7 Pro.exeINSITE 8.7 Pro.exeINSITE 8.7 Pro.exeINSITE 8.7 Pro.exeINSITE 8.7 Pro.exeINSITE 8.7 Pro.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	INSITE 8.7 Pro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	INSITE 8.7 Pro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	INSITE 8.7 Pro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	INSITE 8.7 Pro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	INSITE 8.7 Pro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	INSITE 8.7 Pro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	INSITE 8.7 Pro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	INSITE 8.7 Pro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	INSITE 8.7 Pro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	INSITE 8.7 Pro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	INSITE 8.7 Pro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	INSITE 8.7 Pro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	INSITE 8.7 Pro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	INSITE 8.7 Pro.exe

Executes dropped EXE 6 IoCs

Processes:

RestartApp.exeRestartApp.exeRestartApp.exeRestartApp.exeRestartApp.exeRestartApp.exe

pid process

4480 RestartApp.exe
3800 RestartApp.exe
2724 RestartApp.exe
1840 RestartApp.exe
3992 RestartApp.exe
5056 RestartApp.exe

pid	process
4480	RestartApp.exe
3800	RestartApp.exe
2724	RestartApp.exe
1840	RestartApp.exe
3992	RestartApp.exe
5056	RestartApp.exe

Identifies Wine through registry keys 2 TTPs 7 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

INSITE 8.7 Pro.exeINSITE 8.7 Pro.exeINSITE 8.7 Pro.exeINSITE 8.7 Pro.exeINSITE 8.7 Pro.exeINSITE 8.7 Pro.exeINSITE 8.7 Pro.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Wine	INSITE 8.7 Pro.exe
Key opened	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Wine	INSITE 8.7 Pro.exe
Key opened	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Wine	INSITE 8.7 Pro.exe
Key opened	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Wine	INSITE 8.7 Pro.exe
Key opened	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Wine	INSITE 8.7 Pro.exe
Key opened	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Wine	INSITE 8.7 Pro.exe
Key opened	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Software\Wine	INSITE 8.7 Pro.exe

Checks whether UAC is enabled 1 TTPs 7 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

INSITE 8.7 Pro.exeINSITE 8.7 Pro.exeINSITE 8.7 Pro.exeINSITE 8.7 Pro.exeINSITE 8.7 Pro.exeINSITE 8.7 Pro.exeINSITE 8.7 Pro.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	INSITE 8.7 Pro.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	INSITE 8.7 Pro.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	INSITE 8.7 Pro.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	INSITE 8.7 Pro.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	INSITE 8.7 Pro.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	INSITE 8.7 Pro.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	INSITE 8.7 Pro.exe

Writes to the Master Boot Record (MBR) 1 TTPs 7 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

INSITE 8.7 Pro.exeINSITE 8.7 Pro.exeINSITE 8.7 Pro.exeINSITE 8.7 Pro.exeINSITE 8.7 Pro.exeINSITE 8.7 Pro.exeINSITE 8.7 Pro.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	INSITE 8.7 Pro.exe
File opened for modification	\??\PhysicalDrive0	INSITE 8.7 Pro.exe
File opened for modification	\??\PhysicalDrive0	INSITE 8.7 Pro.exe
File opened for modification	\??\PhysicalDrive0	INSITE 8.7 Pro.exe
File opened for modification	\??\PhysicalDrive0	INSITE 8.7 Pro.exe
File opened for modification	\??\PhysicalDrive0	INSITE 8.7 Pro.exe
File opened for modification	\??\PhysicalDrive0	INSITE 8.7 Pro.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

INSITE 8.7 Pro.exeINSITE 8.7 Pro.exeINSITE 8.7 Pro.exeINSITE 8.7 Pro.exeINSITE 8.7 Pro.exeINSITE 8.7 Pro.exeINSITE 8.7 Pro.exe

pid	process
5072	INSITE 8.7 Pro.exe
1900	INSITE 8.7 Pro.exe
2556	INSITE 8.7 Pro.exe
2780	INSITE 8.7 Pro.exe
1440	INSITE 8.7 Pro.exe
2464	INSITE 8.7 Pro.exe
2668	INSITE 8.7 Pro.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

INSITE 8.7 Pro.exeINSITE 8.7 Pro.exeINSITE 8.7 Pro.exeINSITE 8.7 Pro.exeINSITE 8.7 Pro.exeINSITE 8.7 Pro.exeINSITE 8.7 Pro.exe

pid	process
5072	INSITE 8.7 Pro.exe
5072	INSITE 8.7 Pro.exe
1900	INSITE 8.7 Pro.exe
1900	INSITE 8.7 Pro.exe
2556	INSITE 8.7 Pro.exe
2556	INSITE 8.7 Pro.exe
2780	INSITE 8.7 Pro.exe
2780	INSITE 8.7 Pro.exe
1440	INSITE 8.7 Pro.exe
1440	INSITE 8.7 Pro.exe
2464	INSITE 8.7 Pro.exe
2464	INSITE 8.7 Pro.exe
2668	INSITE 8.7 Pro.exe
2668	INSITE 8.7 Pro.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

INSITE 8.7 Pro.exe

pid process

2464 INSITE 8.7 Pro.exe

pid	process
2464	INSITE 8.7 Pro.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

INSITE 8.7 Pro.exeRestartApp.exeINSITE 8.7 Pro.exeRestartApp.exeINSITE 8.7 Pro.exeRestartApp.exeINSITE 8.7 Pro.exeRestartApp.exeINSITE 8.7 Pro.exeRestartApp.exeINSITE 8.7 Pro.exeRestartApp.exe

description	pid	process	target process
PID 5072 wrote to memory of 4480	5072	INSITE 8.7 Pro.exe	RestartApp.exe
PID 5072 wrote to memory of 4480	5072	INSITE 8.7 Pro.exe	RestartApp.exe
PID 5072 wrote to memory of 4480	5072	INSITE 8.7 Pro.exe	RestartApp.exe
PID 4480 wrote to memory of 1900	4480	RestartApp.exe	INSITE 8.7 Pro.exe
PID 4480 wrote to memory of 1900	4480	RestartApp.exe	INSITE 8.7 Pro.exe
PID 4480 wrote to memory of 1900	4480	RestartApp.exe	INSITE 8.7 Pro.exe
PID 1900 wrote to memory of 3800	1900	INSITE 8.7 Pro.exe	RestartApp.exe
PID 1900 wrote to memory of 3800	1900	INSITE 8.7 Pro.exe	RestartApp.exe
PID 1900 wrote to memory of 3800	1900	INSITE 8.7 Pro.exe	RestartApp.exe
PID 3800 wrote to memory of 2556	3800	RestartApp.exe	INSITE 8.7 Pro.exe
PID 3800 wrote to memory of 2556	3800	RestartApp.exe	INSITE 8.7 Pro.exe
PID 3800 wrote to memory of 2556	3800	RestartApp.exe	INSITE 8.7 Pro.exe
PID 2556 wrote to memory of 2724	2556	INSITE 8.7 Pro.exe	RestartApp.exe
PID 2556 wrote to memory of 2724	2556	INSITE 8.7 Pro.exe	RestartApp.exe
PID 2556 wrote to memory of 2724	2556	INSITE 8.7 Pro.exe	RestartApp.exe
PID 2724 wrote to memory of 2780	2724	RestartApp.exe	INSITE 8.7 Pro.exe
PID 2724 wrote to memory of 2780	2724	RestartApp.exe	INSITE 8.7 Pro.exe
PID 2724 wrote to memory of 2780	2724	RestartApp.exe	INSITE 8.7 Pro.exe
PID 2780 wrote to memory of 1840	2780	INSITE 8.7 Pro.exe	RestartApp.exe
PID 2780 wrote to memory of 1840	2780	INSITE 8.7 Pro.exe	RestartApp.exe
PID 2780 wrote to memory of 1840	2780	INSITE 8.7 Pro.exe	RestartApp.exe
PID 1840 wrote to memory of 1440	1840	RestartApp.exe	INSITE 8.7 Pro.exe
PID 1840 wrote to memory of 1440	1840	RestartApp.exe	INSITE 8.7 Pro.exe
PID 1840 wrote to memory of 1440	1840	RestartApp.exe	INSITE 8.7 Pro.exe
PID 1440 wrote to memory of 3992	1440	INSITE 8.7 Pro.exe	RestartApp.exe
PID 1440 wrote to memory of 3992	1440	INSITE 8.7 Pro.exe	RestartApp.exe
PID 1440 wrote to memory of 3992	1440	INSITE 8.7 Pro.exe	RestartApp.exe
PID 3992 wrote to memory of 2464	3992	RestartApp.exe	INSITE 8.7 Pro.exe
PID 3992 wrote to memory of 2464	3992	RestartApp.exe	INSITE 8.7 Pro.exe
PID 3992 wrote to memory of 2464	3992	RestartApp.exe	INSITE 8.7 Pro.exe
PID 2464 wrote to memory of 5056	2464	INSITE 8.7 Pro.exe	RestartApp.exe
PID 2464 wrote to memory of 5056	2464	INSITE 8.7 Pro.exe	RestartApp.exe
PID 2464 wrote to memory of 5056	2464	INSITE 8.7 Pro.exe	RestartApp.exe
PID 5056 wrote to memory of 2668	5056	RestartApp.exe	INSITE 8.7 Pro.exe
PID 5056 wrote to memory of 2668	5056	RestartApp.exe	INSITE 8.7 Pro.exe
PID 5056 wrote to memory of 2668	5056	RestartApp.exe	INSITE 8.7 Pro.exe

C:\Users\Admin\AppData\Local\Temp\CUMMINS INSITE 8.7 Pro\INSITE 8.7 Pro.exe
"C:\Users\Admin\AppData\Local\Temp\CUMMINS INSITE 8.7 Pro\INSITE 8.7 Pro.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5072

C:\Users\Admin\AppData\Roaming\RestartApp.exe
C:\Users\Admin\AppData\Roaming\RestartApp.exe "5072" "C:\Users\Admin\AppData\Local\Temp\CUMMINS INSITE 8.7 Pro\INSITE 8.7 Pro.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4480

C:\Users\Admin\AppData\Local\Temp\CUMMINS INSITE 8.7 Pro\INSITE 8.7 Pro.exe
"C:\Users\Admin\AppData\Local\Temp\CUMMINS INSITE 8.7 Pro\INSITE 8.7 Pro.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1900

C:\Users\Admin\AppData\Roaming\RestartApp.exe
C:\Users\Admin\AppData\Roaming\RestartApp.exe "1900" "C:\Users\Admin\AppData\Local\Temp\CUMMINS INSITE 8.7 Pro\INSITE 8.7 Pro.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800

C:\Users\Admin\AppData\Local\Temp\CUMMINS INSITE 8.7 Pro\INSITE 8.7 Pro.exe
"C:\Users\Admin\AppData\Local\Temp\CUMMINS INSITE 8.7 Pro\INSITE 8.7 Pro.exe"
5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2556

C:\Users\Admin\AppData\Roaming\RestartApp.exe
C:\Users\Admin\AppData\Roaming\RestartApp.exe "2556" "C:\Users\Admin\AppData\Local\Temp\CUMMINS INSITE 8.7 Pro\INSITE 8.7 Pro.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724

C:\Users\Admin\AppData\Local\Temp\CUMMINS INSITE 8.7 Pro\INSITE 8.7 Pro.exe
"C:\Users\Admin\AppData\Local\Temp\CUMMINS INSITE 8.7 Pro\INSITE 8.7 Pro.exe"
7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2780

C:\Users\Admin\AppData\Roaming\RestartApp.exe
C:\Users\Admin\AppData\Roaming\RestartApp.exe "2780" "C:\Users\Admin\AppData\Local\Temp\CUMMINS INSITE 8.7 Pro\INSITE 8.7 Pro.exe"
8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1840

C:\Users\Admin\AppData\Local\Temp\CUMMINS INSITE 8.7 Pro\INSITE 8.7 Pro.exe
"C:\Users\Admin\AppData\Local\Temp\CUMMINS INSITE 8.7 Pro\INSITE 8.7 Pro.exe"
9⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1440

C:\Users\Admin\AppData\Roaming\RestartApp.exe
C:\Users\Admin\AppData\Roaming\RestartApp.exe "1440" "C:\Users\Admin\AppData\Local\Temp\CUMMINS INSITE 8.7 Pro\INSITE 8.7 Pro.exe"
10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992

C:\Users\Admin\AppData\Local\Temp\CUMMINS INSITE 8.7 Pro\INSITE 8.7 Pro.exe
"C:\Users\Admin\AppData\Local\Temp\CUMMINS INSITE 8.7 Pro\INSITE 8.7 Pro.exe"
11⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2464

C:\Users\Admin\AppData\Roaming\RestartApp.exe
C:\Users\Admin\AppData\Roaming\RestartApp.exe "2464" "C:\Users\Admin\AppData\Local\Temp\CUMMINS INSITE 8.7 Pro\INSITE 8.7 Pro.exe"
12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056

C:\Users\Admin\AppData\Local\Temp\CUMMINS INSITE 8.7 Pro\INSITE 8.7 Pro.exe
"C:\Users\Admin\AppData\Local\Temp\CUMMINS INSITE 8.7 Pro\INSITE 8.7 Pro.exe"
13⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2668

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

3

Virtualization/Sandbox Evasion

2