glupteba | 2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe

Windows security bypass 2 TTPs 10 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\e1TUuqX2IUVzeUs2xcCkN7vU.exe = "0"	e1TUuqX2IUVzeUs2xcCkN7vU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\77wuYEZExU0KksC2aXOc28on.exe = "0"	77wuYEZExU0KksC2aXOc28on.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	e1TUuqX2IUVzeUs2xcCkN7vU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	e1TUuqX2IUVzeUs2xcCkN7vU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	e1TUuqX2IUVzeUs2xcCkN7vU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	e1TUuqX2IUVzeUs2xcCkN7vU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\NmxtPpHgG8c5AwLshRN2JfZz.exe = "0"	NmxtPpHgG8c5AwLshRN2JfZz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\xFohppZnTpRXQIdjsvE5duLP.exe = "0"	xFohppZnTpRXQIdjsvE5duLP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	e1TUuqX2IUVzeUs2xcCkN7vU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	e1TUuqX2IUVzeUs2xcCkN7vU.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2028	powershell.exe
3232	powershell.exe
6052	powershell.exe
684	powershell.exe
5388	powershell.exe
6020	powershell.exe
4092	powershell.exe
4644	powershell.exe
3236	powershell.exe
1972	powershell.exe
6068	powershell.exe
6072	powershell.exe
2276	powershell.exe
1556	powershell.exe
5276	powershell.exe
6024	powershell.exe
5568	powershell.exe
1180	powershell.exe
5860	powershell.exe
892	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5492	netsh.exe
5416	netsh.exe
5356	netsh.exe
4256	netsh.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mEnJ8wzJMLfvya8xUHZOtPWs.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\g02rU0e8NOaFTFA1JlPqZI2B.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jXPC4ZI8SIQy8iUQJcLt7pyq.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8mBLk2MD4Yfnzm8wMXyr4oxG.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DIUstaAxoFKfvE6tsdMkhLA9.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2zplqZxEmlLNd77ww81nCv3j.bat	regsvcs.exe

Executes dropped EXE 12 IoCs

pid	Process
4676	77wuYEZExU0KksC2aXOc28on.exe
3764	xFohppZnTpRXQIdjsvE5duLP.exe
2556	cbMzO28ECyxBfQTqWL5WGpxG.exe
4356	e1TUuqX2IUVzeUs2xcCkN7vU.exe
1472	NmxtPpHgG8c5AwLshRN2JfZz.exe
2600	u1z0.0.exe
5832	77wuYEZExU0KksC2aXOc28on.exe
5884	xFohppZnTpRXQIdjsvE5duLP.exe
5696	e1TUuqX2IUVzeUs2xcCkN7vU.exe
5740	NmxtPpHgG8c5AwLshRN2JfZz.exe
5904	u1z0.1.exe
4496	csrss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000800000001ab99-4213.dat	themida
behavioral2/memory/4716-4215-0x0000000140000000-0x0000000140862000-memory.dmp	themida
behavioral2/memory/4716-4707-0x0000000140000000-0x0000000140862000-memory.dmp	themida
behavioral2/memory/4716-4753-0x0000000140000000-0x0000000140862000-memory.dmp	themida

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000b00000001abe8-4760.dat	upx
behavioral2/memory/1036-4762-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Windows security modification 2 TTPs 10 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\77wuYEZExU0KksC2aXOc28on.exe = "0"	77wuYEZExU0KksC2aXOc28on.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	e1TUuqX2IUVzeUs2xcCkN7vU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	e1TUuqX2IUVzeUs2xcCkN7vU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\e1TUuqX2IUVzeUs2xcCkN7vU.exe = "0"	e1TUuqX2IUVzeUs2xcCkN7vU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\NmxtPpHgG8c5AwLshRN2JfZz.exe = "0"	NmxtPpHgG8c5AwLshRN2JfZz.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\xFohppZnTpRXQIdjsvE5duLP.exe = "0"	xFohppZnTpRXQIdjsvE5duLP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	e1TUuqX2IUVzeUs2xcCkN7vU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	e1TUuqX2IUVzeUs2xcCkN7vU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	e1TUuqX2IUVzeUs2xcCkN7vU.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	e1TUuqX2IUVzeUs2xcCkN7vU.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	e1TUuqX2IUVzeUs2xcCkN7vU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	NmxtPpHgG8c5AwLshRN2JfZz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	77wuYEZExU0KksC2aXOc28on.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	xFohppZnTpRXQIdjsvE5duLP.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com
4	pastebin.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
54	api.myip.com
55	ipinfo.io
57	ipinfo.io

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4656 set thread context of 4180	4656	2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe	77

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 4 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	e1TUuqX2IUVzeUs2xcCkN7vU.exe
File opened (read-only)	\??\VBoxMiniRdrDN	NmxtPpHgG8c5AwLshRN2JfZz.exe
File opened (read-only)	\??\VBoxMiniRdrDN	77wuYEZExU0KksC2aXOc28on.exe
File opened (read-only)	\??\VBoxMiniRdrDN	xFohppZnTpRXQIdjsvE5duLP.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\rss\csrss.exe	xFohppZnTpRXQIdjsvE5duLP.exe
File opened for modification	C:\Windows\rss	e1TUuqX2IUVzeUs2xcCkN7vU.exe
File created	C:\Windows\rss\csrss.exe	e1TUuqX2IUVzeUs2xcCkN7vU.exe
File opened for modification	C:\Windows\rss	NmxtPpHgG8c5AwLshRN2JfZz.exe
File created	C:\Windows\rss\csrss.exe	NmxtPpHgG8c5AwLshRN2JfZz.exe
File opened for modification	C:\Windows\rss	77wuYEZExU0KksC2aXOc28on.exe
File created	C:\Windows\rss\csrss.exe	77wuYEZExU0KksC2aXOc28on.exe
File opened for modification	C:\Windows\rss	xFohppZnTpRXQIdjsvE5duLP.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5888	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1z0.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1z0.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u1z0.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u1z0.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u1z0.0.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
2204	schtasks.exe
5848	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	xFohppZnTpRXQIdjsvE5duLP.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	NmxtPpHgG8c5AwLshRN2JfZz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	e1TUuqX2IUVzeUs2xcCkN7vU.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	77wuYEZExU0KksC2aXOc28on.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	77wuYEZExU0KksC2aXOc28on.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	xFohppZnTpRXQIdjsvE5duLP.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	77wuYEZExU0KksC2aXOc28on.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	77wuYEZExU0KksC2aXOc28on.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	77wuYEZExU0KksC2aXOc28on.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	77wuYEZExU0KksC2aXOc28on.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	NmxtPpHgG8c5AwLshRN2JfZz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	xFohppZnTpRXQIdjsvE5duLP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	xFohppZnTpRXQIdjsvE5duLP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	e1TUuqX2IUVzeUs2xcCkN7vU.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	77wuYEZExU0KksC2aXOc28on.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	e1TUuqX2IUVzeUs2xcCkN7vU.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time"	e1TUuqX2IUVzeUs2xcCkN7vU.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	NmxtPpHgG8c5AwLshRN2JfZz.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	xFohppZnTpRXQIdjsvE5duLP.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	xFohppZnTpRXQIdjsvE5duLP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	NmxtPpHgG8c5AwLshRN2JfZz.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	e1TUuqX2IUVzeUs2xcCkN7vU.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	e1TUuqX2IUVzeUs2xcCkN7vU.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	e1TUuqX2IUVzeUs2xcCkN7vU.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	NmxtPpHgG8c5AwLshRN2JfZz.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	xFohppZnTpRXQIdjsvE5duLP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	e1TUuqX2IUVzeUs2xcCkN7vU.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	e1TUuqX2IUVzeUs2xcCkN7vU.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	e1TUuqX2IUVzeUs2xcCkN7vU.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	77wuYEZExU0KksC2aXOc28on.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	xFohppZnTpRXQIdjsvE5duLP.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	xFohppZnTpRXQIdjsvE5duLP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	e1TUuqX2IUVzeUs2xcCkN7vU.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	e1TUuqX2IUVzeUs2xcCkN7vU.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	xFohppZnTpRXQIdjsvE5duLP.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	xFohppZnTpRXQIdjsvE5duLP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	xFohppZnTpRXQIdjsvE5duLP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	77wuYEZExU0KksC2aXOc28on.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	e1TUuqX2IUVzeUs2xcCkN7vU.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	xFohppZnTpRXQIdjsvE5duLP.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
892	powershell.exe
892	powershell.exe
892	powershell.exe
2028	powershell.exe
2028	powershell.exe
3236	powershell.exe
3236	powershell.exe
3232	powershell.exe
3232	powershell.exe
1972	powershell.exe
1972	powershell.exe
2028	powershell.exe
1972	powershell.exe
3236	powershell.exe
3232	powershell.exe
2028	powershell.exe
3236	powershell.exe
3232	powershell.exe
1972	powershell.exe
2600	u1z0.0.exe
2600	u1z0.0.exe
3764	xFohppZnTpRXQIdjsvE5duLP.exe
4356	e1TUuqX2IUVzeUs2xcCkN7vU.exe
4356	e1TUuqX2IUVzeUs2xcCkN7vU.exe
3764	xFohppZnTpRXQIdjsvE5duLP.exe
4676	77wuYEZExU0KksC2aXOc28on.exe
4676	77wuYEZExU0KksC2aXOc28on.exe
1472	NmxtPpHgG8c5AwLshRN2JfZz.exe
1472	NmxtPpHgG8c5AwLshRN2JfZz.exe
6052	powershell.exe
6052	powershell.exe
6072	powershell.exe
6072	powershell.exe
6068	powershell.exe
6068	powershell.exe
6024	powershell.exe
6024	powershell.exe
6052	powershell.exe
6072	powershell.exe
6068	powershell.exe
6024	powershell.exe
6052	powershell.exe
6068	powershell.exe
6024	powershell.exe
6072	powershell.exe
5696	e1TUuqX2IUVzeUs2xcCkN7vU.exe
5696	e1TUuqX2IUVzeUs2xcCkN7vU.exe
5832	77wuYEZExU0KksC2aXOc28on.exe
5832	77wuYEZExU0KksC2aXOc28on.exe
5740	NmxtPpHgG8c5AwLshRN2JfZz.exe
5740	NmxtPpHgG8c5AwLshRN2JfZz.exe
5884	xFohppZnTpRXQIdjsvE5duLP.exe
5884	xFohppZnTpRXQIdjsvE5duLP.exe
5696	e1TUuqX2IUVzeUs2xcCkN7vU.exe
5696	e1TUuqX2IUVzeUs2xcCkN7vU.exe
5740	NmxtPpHgG8c5AwLshRN2JfZz.exe
5740	NmxtPpHgG8c5AwLshRN2JfZz.exe
5832	77wuYEZExU0KksC2aXOc28on.exe
5832	77wuYEZExU0KksC2aXOc28on.exe
5884	xFohppZnTpRXQIdjsvE5duLP.exe
5884	xFohppZnTpRXQIdjsvE5duLP.exe
5884	xFohppZnTpRXQIdjsvE5duLP.exe
5884	xFohppZnTpRXQIdjsvE5duLP.exe
5884	xFohppZnTpRXQIdjsvE5duLP.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	4656	2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	4180	regsvcs.exe
Token: SeIncreaseQuotaPrivilege	892	powershell.exe
Token: SeSecurityPrivilege	892	powershell.exe
Token: SeTakeOwnershipPrivilege	892	powershell.exe
Token: SeLoadDriverPrivilege	892	powershell.exe
Token: SeSystemProfilePrivilege	892	powershell.exe
Token: SeSystemtimePrivilege	892	powershell.exe
Token: SeProfSingleProcessPrivilege	892	powershell.exe
Token: SeIncBasePriorityPrivilege	892	powershell.exe
Token: SeCreatePagefilePrivilege	892	powershell.exe
Token: SeBackupPrivilege	892	powershell.exe
Token: SeRestorePrivilege	892	powershell.exe
Token: SeShutdownPrivilege	892	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeSystemEnvironmentPrivilege	892	powershell.exe
Token: SeRemoteShutdownPrivilege	892	powershell.exe
Token: SeUndockPrivilege	892	powershell.exe
Token: SeManageVolumePrivilege	892	powershell.exe
Token: 33	892	powershell.exe
Token: 34	892	powershell.exe
Token: 35	892	powershell.exe
Token: 36	892	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	3236	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	3232	powershell.exe
Token: SeDebugPrivilege	3764	xFohppZnTpRXQIdjsvE5duLP.exe
Token: SeDebugPrivilege	4356	e1TUuqX2IUVzeUs2xcCkN7vU.exe
Token: SeImpersonatePrivilege	3764	xFohppZnTpRXQIdjsvE5duLP.exe
Token: SeImpersonatePrivilege	4356	e1TUuqX2IUVzeUs2xcCkN7vU.exe
Token: SeDebugPrivilege	4676	77wuYEZExU0KksC2aXOc28on.exe
Token: SeImpersonatePrivilege	4676	77wuYEZExU0KksC2aXOc28on.exe
Token: SeDebugPrivilege	1472	NmxtPpHgG8c5AwLshRN2JfZz.exe
Token: SeImpersonatePrivilege	1472	NmxtPpHgG8c5AwLshRN2JfZz.exe
Token: SeDebugPrivilege	6052	powershell.exe
Token: SeDebugPrivilege	6072	powershell.exe
Token: SeDebugPrivilege	6068	powershell.exe
Token: SeDebugPrivilege	6024	powershell.exe
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeDebugPrivilege	684	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	5388	powershell.exe
Token: SeDebugPrivilege	6020	powershell.exe
Token: SeDebugPrivilege	4644	powershell.exe
Token: SeDebugPrivilege	5568	powershell.exe
Token: SeDebugPrivilege	1180	powershell.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
5904	u1z0.1.exe
5904	u1z0.1.exe
5904	u1z0.1.exe
5904	u1z0.1.exe
5904	u1z0.1.exe
5904	u1z0.1.exe
5904	u1z0.1.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
5904	u1z0.1.exe
5904	u1z0.1.exe
5904	u1z0.1.exe
5904	u1z0.1.exe
5904	u1z0.1.exe
5904	u1z0.1.exe
5904	u1z0.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 892	4656	2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe	75
PID 4656 wrote to memory of 892	4656	2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe	75
PID 4656 wrote to memory of 4180	4656	2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe	77
PID 4656 wrote to memory of 4180	4656	2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe	77
PID 4656 wrote to memory of 4180	4656	2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe	77
PID 4656 wrote to memory of 4180	4656	2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe	77
PID 4656 wrote to memory of 4180	4656	2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe	77
PID 4656 wrote to memory of 4180	4656	2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe	77
PID 4656 wrote to memory of 4180	4656	2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe	77
PID 4656 wrote to memory of 4180	4656	2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe	77
PID 4656 wrote to memory of 1432	4656	2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe	78
PID 4656 wrote to memory of 1432	4656	2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe	78
PID 4656 wrote to memory of 1432	4656	2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe	78
PID 4180 wrote to memory of 4676	4180	regsvcs.exe	82
PID 4180 wrote to memory of 4676	4180	regsvcs.exe	82
PID 4180 wrote to memory of 4676	4180	regsvcs.exe	82
PID 4180 wrote to memory of 3764	4180	regsvcs.exe	83
PID 4180 wrote to memory of 3764	4180	regsvcs.exe	83
PID 4180 wrote to memory of 3764	4180	regsvcs.exe	83
PID 4180 wrote to memory of 2556	4180	regsvcs.exe	84
PID 4180 wrote to memory of 2556	4180	regsvcs.exe	84
PID 4180 wrote to memory of 2556	4180	regsvcs.exe	84
PID 4180 wrote to memory of 4356	4180	regsvcs.exe	85
PID 4180 wrote to memory of 4356	4180	regsvcs.exe	85
PID 4180 wrote to memory of 4356	4180	regsvcs.exe	85
PID 4180 wrote to memory of 1472	4180	regsvcs.exe	86
PID 4180 wrote to memory of 1472	4180	regsvcs.exe	86
PID 4180 wrote to memory of 1472	4180	regsvcs.exe	86
PID 3764 wrote to memory of 3232	3764	xFohppZnTpRXQIdjsvE5duLP.exe	89
PID 3764 wrote to memory of 3232	3764	xFohppZnTpRXQIdjsvE5duLP.exe	89
PID 3764 wrote to memory of 3232	3764	xFohppZnTpRXQIdjsvE5duLP.exe	89
PID 4356 wrote to memory of 2028	4356	e1TUuqX2IUVzeUs2xcCkN7vU.exe	90
PID 4356 wrote to memory of 2028	4356	e1TUuqX2IUVzeUs2xcCkN7vU.exe	90
PID 4356 wrote to memory of 2028	4356	e1TUuqX2IUVzeUs2xcCkN7vU.exe	90
PID 1472 wrote to memory of 3236	1472	NmxtPpHgG8c5AwLshRN2JfZz.exe	88
PID 1472 wrote to memory of 3236	1472	NmxtPpHgG8c5AwLshRN2JfZz.exe	88
PID 1472 wrote to memory of 3236	1472	NmxtPpHgG8c5AwLshRN2JfZz.exe	88
PID 4676 wrote to memory of 1972	4676	77wuYEZExU0KksC2aXOc28on.exe	93
PID 4676 wrote to memory of 1972	4676	77wuYEZExU0KksC2aXOc28on.exe	93
PID 4676 wrote to memory of 1972	4676	77wuYEZExU0KksC2aXOc28on.exe	93
PID 2556 wrote to memory of 2600	2556	cbMzO28ECyxBfQTqWL5WGpxG.exe	96
PID 2556 wrote to memory of 2600	2556	cbMzO28ECyxBfQTqWL5WGpxG.exe	96
PID 2556 wrote to memory of 2600	2556	cbMzO28ECyxBfQTqWL5WGpxG.exe	96
PID 5740 wrote to memory of 6052	5740	NmxtPpHgG8c5AwLshRN2JfZz.exe	104
PID 5740 wrote to memory of 6052	5740	NmxtPpHgG8c5AwLshRN2JfZz.exe	104
PID 5740 wrote to memory of 6052	5740	NmxtPpHgG8c5AwLshRN2JfZz.exe	104
PID 5884 wrote to memory of 6068	5884	xFohppZnTpRXQIdjsvE5duLP.exe	105
PID 5884 wrote to memory of 6068	5884	xFohppZnTpRXQIdjsvE5duLP.exe	105
PID 5884 wrote to memory of 6068	5884	xFohppZnTpRXQIdjsvE5duLP.exe	105
PID 5696 wrote to memory of 6072	5696	e1TUuqX2IUVzeUs2xcCkN7vU.exe	106
PID 5696 wrote to memory of 6072	5696	e1TUuqX2IUVzeUs2xcCkN7vU.exe	106
PID 5696 wrote to memory of 6072	5696	e1TUuqX2IUVzeUs2xcCkN7vU.exe	106
PID 5832 wrote to memory of 6024	5832	77wuYEZExU0KksC2aXOc28on.exe	107
PID 5832 wrote to memory of 6024	5832	77wuYEZExU0KksC2aXOc28on.exe	107
PID 5832 wrote to memory of 6024	5832	77wuYEZExU0KksC2aXOc28on.exe	107
PID 2556 wrote to memory of 5904	2556	cbMzO28ECyxBfQTqWL5WGpxG.exe	112
PID 2556 wrote to memory of 5904	2556	cbMzO28ECyxBfQTqWL5WGpxG.exe	112
PID 2556 wrote to memory of 5904	2556	cbMzO28ECyxBfQTqWL5WGpxG.exe	112
PID 5884 wrote to memory of 1188	5884	xFohppZnTpRXQIdjsvE5duLP.exe	115
PID 5884 wrote to memory of 1188	5884	xFohppZnTpRXQIdjsvE5duLP.exe	115
PID 5696 wrote to memory of 5308	5696	e1TUuqX2IUVzeUs2xcCkN7vU.exe	116
PID 5696 wrote to memory of 5308	5696	e1TUuqX2IUVzeUs2xcCkN7vU.exe	116
PID 5740 wrote to memory of 5256	5740	NmxtPpHgG8c5AwLshRN2JfZz.exe	158
PID 5740 wrote to memory of 5256	5740	NmxtPpHgG8c5AwLshRN2JfZz.exe	158

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe

C:\Users\Admin\AppData\Local\Temp\2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe
"C:\Users\Admin\AppData\Local\Temp\2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Users\Admin\Pictures\77wuYEZExU0KksC2aXOc28on.exe
    "C:\Users\Admin\Pictures\77wuYEZExU0KksC2aXOc28on.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4676
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1972
  - - C:\Users\Admin\Pictures\77wuYEZExU0KksC2aXOc28on.exe
      "C:\Users\Admin\Pictures\77wuYEZExU0KksC2aXOc28on.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:5832
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6024
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:5300
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:4256
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Modifies data under HKEY_USERS
        
        PID:2276
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:4644
- - C:\Users\Admin\Pictures\xFohppZnTpRXQIdjsvE5duLP.exe
    "C:\Users\Admin\Pictures\xFohppZnTpRXQIdjsvE5duLP.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3764
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3232
  - - C:\Users\Admin\Pictures\xFohppZnTpRXQIdjsvE5duLP.exe
      "C:\Users\Admin\Pictures\xFohppZnTpRXQIdjsvE5duLP.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:5884
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6068
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:1188
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:5492
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:684
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:5568
- - C:\Users\Admin\Pictures\cbMzO28ECyxBfQTqWL5WGpxG.exe
    "C:\Users\Admin\Pictures\cbMzO28ECyxBfQTqWL5WGpxG.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Users\Admin\AppData\Local\Temp\u1z0.0.exe
      "C:\Users\Admin\AppData\Local\Temp\u1z0.0.exe"
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2600
  - - C:\Users\Admin\AppData\Local\Temp\u1z0.1.exe
      "C:\Users\Admin\AppData\Local\Temp\u1z0.1.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:5904
    - - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        5⤵
        
        PID:5256
- - C:\Users\Admin\Pictures\e1TUuqX2IUVzeUs2xcCkN7vU.exe
    "C:\Users\Admin\Pictures\e1TUuqX2IUVzeUs2xcCkN7vU.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4356
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2028
  - - C:\Users\Admin\Pictures\e1TUuqX2IUVzeUs2xcCkN7vU.exe
      "C:\Users\Admin\Pictures\e1TUuqX2IUVzeUs2xcCkN7vU.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:5696
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6072
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:5308
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        Modifies data under HKEY_USERS
        
        PID:5416
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:6020
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Executes dropped EXE
        
        PID:4496
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:5848
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:4156
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5860
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5276
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        
        PID:6020
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:2204
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        Launches sc.exe
        
        PID:5888
- - C:\Users\Admin\Pictures\NmxtPpHgG8c5AwLshRN2JfZz.exe
    "C:\Users\Admin\Pictures\NmxtPpHgG8c5AwLshRN2JfZz.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1472
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3236
  - - C:\Users\Admin\Pictures\NmxtPpHgG8c5AwLshRN2JfZz.exe
      "C:\Users\Admin\Pictures\NmxtPpHgG8c5AwLshRN2JfZz.exe"
      4⤵
      Windows security bypass
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:5740
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6052
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:5256
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:5356
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:4092
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5388
- - C:\Users\Admin\Pictures\cPYfY5Ucexb6Agj3qp1nyyFl.exe
    "C:\Users\Admin\Pictures\cPYfY5Ucexb6Agj3qp1nyyFl.exe"
    3⤵
    PID:4716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
  2⤵
  PID:1432

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:5740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:320

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Modify Registry

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery