93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe

Windows security bypass 2 TTPs 2 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe = "0"	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1912	powershell.exe
1928	powershell.exe
1860	powershell.exe
1760	powershell.exe
4984	powershell.exe

Downloads MZ/PE file

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CsbFIMsCRI6DEPUqn0UEWW7C.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tkSSPcZzAH1DPaCsrFKRWv18.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TDnCXUW9Wt7YYypJH1RSQ9c5.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d6qycKtVfUguEjPKEVi8YQOC.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eHAWoc75qDrF45xnClKMi7ni.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\D4gfu30nGfWSxXFHXxUCgx8B.bat	msbuild.exe

Executes dropped EXE 6 IoCs

pid	Process
4480	yjXTmxtvIAx31h1a8BmvE32U.exe
4932	R4KTQyiQNVUzdkhQqDNusoxp.exe
3752	YVPRxPD8yjHQjdvlkbovSWDH.exe
3104	lwT41z0hLPv5q0HtwEHfmvwM.exe
3340	3pON37soywq3KPaS9nVv6HM0.exe
2340	u3gg.0.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x001900000002ab1d-179.dat	themida
behavioral2/memory/2928-181-0x0000000140000000-0x0000000140861000-memory.dmp	themida

Windows security modification 2 TTPs 3 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe = "0"	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	pastebin.com
4	pastebin.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ipinfo.io
22	api.myip.com
30	api.myip.com
32	ipinfo.io

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5056 set thread context of 4288	5056	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	81

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4796	4480	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1912	powershell.exe
1912	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5056	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	4288	msbuild.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 1912	5056	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	79
PID 5056 wrote to memory of 1912	5056	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	79
PID 5056 wrote to memory of 4288	5056	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	81
PID 5056 wrote to memory of 4288	5056	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	81
PID 5056 wrote to memory of 4288	5056	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	81
PID 5056 wrote to memory of 4288	5056	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	81
PID 5056 wrote to memory of 4288	5056	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	81
PID 5056 wrote to memory of 4288	5056	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	81
PID 5056 wrote to memory of 4288	5056	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	81
PID 5056 wrote to memory of 4288	5056	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe	81
PID 4288 wrote to memory of 4480	4288	msbuild.exe	85
PID 4288 wrote to memory of 4480	4288	msbuild.exe	85
PID 4288 wrote to memory of 4480	4288	msbuild.exe	85
PID 4288 wrote to memory of 4932	4288	msbuild.exe	87
PID 4288 wrote to memory of 4932	4288	msbuild.exe	87
PID 4288 wrote to memory of 4932	4288	msbuild.exe	87
PID 4288 wrote to memory of 3752	4288	msbuild.exe	88
PID 4288 wrote to memory of 3752	4288	msbuild.exe	88
PID 4288 wrote to memory of 3752	4288	msbuild.exe	88
PID 4288 wrote to memory of 3104	4288	msbuild.exe	89
PID 4288 wrote to memory of 3104	4288	msbuild.exe	89
PID 4288 wrote to memory of 3104	4288	msbuild.exe	89
PID 4288 wrote to memory of 3340	4288	msbuild.exe	91
PID 4288 wrote to memory of 3340	4288	msbuild.exe	91
PID 4288 wrote to memory of 3340	4288	msbuild.exe	91
PID 4480 wrote to memory of 2340	4480	yjXTmxtvIAx31h1a8BmvE32U.exe	92
PID 4480 wrote to memory of 2340	4480	yjXTmxtvIAx31h1a8BmvE32U.exe	92
PID 4480 wrote to memory of 2340	4480	yjXTmxtvIAx31h1a8BmvE32U.exe	92

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe

C:\Users\Admin\AppData\Local\Temp\93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe
"C:\Users\Admin\AppData\Local\Temp\93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe"
1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\93ab0c21c47f274b48753f772002789cf90e81dc4145281ef5862ea94530decb.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Users\Admin\Pictures\yjXTmxtvIAx31h1a8BmvE32U.exe
    "C:\Users\Admin\Pictures\yjXTmxtvIAx31h1a8BmvE32U.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Users\Admin\AppData\Local\Temp\u3gg.0.exe
      "C:\Users\Admin\AppData\Local\Temp\u3gg.0.exe"
      4⤵
      Executes dropped EXE
      PID:2340
  - - C:\Users\Admin\AppData\Local\Temp\u3gg.1.exe
      "C:\Users\Admin\AppData\Local\Temp\u3gg.1.exe"
      4⤵
      PID:3556
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 1164
      4⤵
      Program crash
      PID:4796
- - C:\Users\Admin\Pictures\R4KTQyiQNVUzdkhQqDNusoxp.exe
    "C:\Users\Admin\Pictures\R4KTQyiQNVUzdkhQqDNusoxp.exe"
    3⤵
    - Executes dropped EXE
    PID:4932
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1860
  - - C:\Users\Admin\Pictures\R4KTQyiQNVUzdkhQqDNusoxp.exe
      "C:\Users\Admin\Pictures\R4KTQyiQNVUzdkhQqDNusoxp.exe"
      4⤵
      PID:3240
- - C:\Users\Admin\Pictures\YVPRxPD8yjHQjdvlkbovSWDH.exe
    "C:\Users\Admin\Pictures\YVPRxPD8yjHQjdvlkbovSWDH.exe"
    3⤵
    - Executes dropped EXE
    PID:3752
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1928
  - - C:\Users\Admin\Pictures\YVPRxPD8yjHQjdvlkbovSWDH.exe
      "C:\Users\Admin\Pictures\YVPRxPD8yjHQjdvlkbovSWDH.exe"
      4⤵
      PID:3408
- - C:\Users\Admin\Pictures\lwT41z0hLPv5q0HtwEHfmvwM.exe
    "C:\Users\Admin\Pictures\lwT41z0hLPv5q0HtwEHfmvwM.exe"
    3⤵
    - Executes dropped EXE
    PID:3104
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1760
  - - C:\Users\Admin\Pictures\lwT41z0hLPv5q0HtwEHfmvwM.exe
      "C:\Users\Admin\Pictures\lwT41z0hLPv5q0HtwEHfmvwM.exe"
      4⤵
      PID:4320
- - C:\Users\Admin\Pictures\3pON37soywq3KPaS9nVv6HM0.exe
    "C:\Users\Admin\Pictures\3pON37soywq3KPaS9nVv6HM0.exe"
    3⤵
    - Executes dropped EXE
    PID:3340
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4984
- - C:\Users\Admin\Pictures\rTWt2sGNkpsXbrhnSnGzVLLE.exe
    "C:\Users\Admin\Pictures\rTWt2sGNkpsXbrhnSnGzVLLE.exe"
    3⤵
    PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4480 -ip 4480
1⤵
PID:1676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry