glupteba | 166fbe093262a894127000d51aac0677a370cba01faad82120eee2f44a573d04

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe

Windows security bypass 2 TTPs 2 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe = "0"	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
956	powershell.exe
3876	powershell.exe
5904	powershell.exe
3376	powershell.exe
5612	powershell.exe
4352	powershell.exe
3876	powershell.exe
5688	powershell.exe
3264	powershell.exe
372	powershell.exe
5532	powershell.exe
5644	powershell.exe
5892	powershell.exe
2232	powershell.exe
5992	powershell.exe
5852	powershell.exe
548	powershell.exe
4128	powershell.exe
936	powershell.exe
3672	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5324	netsh.exe
5468	netsh.exe
5516	netsh.exe
5332	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	tehUCNoYrTKDGV6OXIKXpSpO.exe

Drops startup file 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ep5TwNKvUwdyPDoIHAQUMpCs.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sGn6DaoKUBF4WWlOItI7u4Gm.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\86Zp0EmxuAuS22SLWZyfIL49.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RiR6CTbrZrpMxY8KkXD6hg0g.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Qap7V3dROhFV1NeaOeXSSyol.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\twT78Mx9z83SdTlWudKKUo0W.bat	regsvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\g6wMedraySsiYCyr3FHKGcj4.bat	regsvcs.exe

Executes dropped EXE 11 IoCs

pid	Process
400	tehUCNoYrTKDGV6OXIKXpSpO.exe
4540	KiDKrfGEOZFnMNlcPxqWtZNQ.exe
4804	EXJFFOSgYliuK9SKrPlmD4DI.exe
4340	jeIFeZnFMtOxggvMiEDB9wtH.exe
4132	YIo8EHAhe4x0lr74YkyQyWCf.exe
4384	ub4.0.exe
3636	jeIFeZnFMtOxggvMiEDB9wtH.exe
3764	EXJFFOSgYliuK9SKrPlmD4DI.exe
3856	KiDKrfGEOZFnMNlcPxqWtZNQ.exe
1596	YIo8EHAhe4x0lr74YkyQyWCf.exe
3452	ub4.1.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00090000000234e2-700.dat	upx
behavioral2/memory/5268-712-0x0000000000400000-0x00000000008DF000-memory.dmp	upx
behavioral2/memory/5268-726-0x0000000000400000-0x00000000008DF000-memory.dmp	upx

Windows security modification 2 TTPs 3 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe = "0"	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
25	pastebin.com
26	pastebin.com

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2208 set thread context of 2324	2208	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe	93

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 4 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	YIo8EHAhe4x0lr74YkyQyWCf.exe
File opened (read-only)	\??\VBoxMiniRdrDN	EXJFFOSgYliuK9SKrPlmD4DI.exe
File opened (read-only)	\??\VBoxMiniRdrDN	KiDKrfGEOZFnMNlcPxqWtZNQ.exe
File opened (read-only)	\??\VBoxMiniRdrDN	jeIFeZnFMtOxggvMiEDB9wtH.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5336	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4468	4384	WerFault.exe	106

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ub4.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ub4.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ub4.1.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
6068	schtasks.exe
60	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	KiDKrfGEOZFnMNlcPxqWtZNQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	EXJFFOSgYliuK9SKrPlmD4DI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	EXJFFOSgYliuK9SKrPlmD4DI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	YIo8EHAhe4x0lr74YkyQyWCf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	KiDKrfGEOZFnMNlcPxqWtZNQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	jeIFeZnFMtOxggvMiEDB9wtH.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	YIo8EHAhe4x0lr74YkyQyWCf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	YIo8EHAhe4x0lr74YkyQyWCf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	YIo8EHAhe4x0lr74YkyQyWCf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time"	KiDKrfGEOZFnMNlcPxqWtZNQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	YIo8EHAhe4x0lr74YkyQyWCf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	KiDKrfGEOZFnMNlcPxqWtZNQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	YIo8EHAhe4x0lr74YkyQyWCf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	YIo8EHAhe4x0lr74YkyQyWCf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	YIo8EHAhe4x0lr74YkyQyWCf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	EXJFFOSgYliuK9SKrPlmD4DI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	KiDKrfGEOZFnMNlcPxqWtZNQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	YIo8EHAhe4x0lr74YkyQyWCf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time"	KiDKrfGEOZFnMNlcPxqWtZNQ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	KiDKrfGEOZFnMNlcPxqWtZNQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	KiDKrfGEOZFnMNlcPxqWtZNQ.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	KiDKrfGEOZFnMNlcPxqWtZNQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	jeIFeZnFMtOxggvMiEDB9wtH.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	KiDKrfGEOZFnMNlcPxqWtZNQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	KiDKrfGEOZFnMNlcPxqWtZNQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time"	jeIFeZnFMtOxggvMiEDB9wtH.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	YIo8EHAhe4x0lr74YkyQyWCf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	EXJFFOSgYliuK9SKrPlmD4DI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	YIo8EHAhe4x0lr74YkyQyWCf.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	EXJFFOSgYliuK9SKrPlmD4DI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	YIo8EHAhe4x0lr74YkyQyWCf.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	jeIFeZnFMtOxggvMiEDB9wtH.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	KiDKrfGEOZFnMNlcPxqWtZNQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	KiDKrfGEOZFnMNlcPxqWtZNQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	KiDKrfGEOZFnMNlcPxqWtZNQ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	KiDKrfGEOZFnMNlcPxqWtZNQ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	EXJFFOSgYliuK9SKrPlmD4DI.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
956	powershell.exe
956	powershell.exe
372	powershell.exe
372	powershell.exe
548	powershell.exe
548	powershell.exe
936	powershell.exe
936	powershell.exe
3264	powershell.exe
3264	powershell.exe
548	powershell.exe
936	powershell.exe
372	powershell.exe
3264	powershell.exe
4340	jeIFeZnFMtOxggvMiEDB9wtH.exe
4804	EXJFFOSgYliuK9SKrPlmD4DI.exe
4340	jeIFeZnFMtOxggvMiEDB9wtH.exe
4804	EXJFFOSgYliuK9SKrPlmD4DI.exe
4540	KiDKrfGEOZFnMNlcPxqWtZNQ.exe
4132	YIo8EHAhe4x0lr74YkyQyWCf.exe
4132	YIo8EHAhe4x0lr74YkyQyWCf.exe
4540	KiDKrfGEOZFnMNlcPxqWtZNQ.exe
3876	powershell.exe
3876	powershell.exe
3672	powershell.exe
3672	powershell.exe
4128	powershell.exe
4128	powershell.exe
3376	powershell.exe
3376	powershell.exe
4128	powershell.exe
3672	powershell.exe
3876	powershell.exe
3376	powershell.exe
3764	EXJFFOSgYliuK9SKrPlmD4DI.exe
3764	EXJFFOSgYliuK9SKrPlmD4DI.exe
3856	KiDKrfGEOZFnMNlcPxqWtZNQ.exe
3856	KiDKrfGEOZFnMNlcPxqWtZNQ.exe
3764	EXJFFOSgYliuK9SKrPlmD4DI.exe
3856	KiDKrfGEOZFnMNlcPxqWtZNQ.exe
3764	EXJFFOSgYliuK9SKrPlmD4DI.exe
3856	KiDKrfGEOZFnMNlcPxqWtZNQ.exe
3764	EXJFFOSgYliuK9SKrPlmD4DI.exe
3856	KiDKrfGEOZFnMNlcPxqWtZNQ.exe
3856	KiDKrfGEOZFnMNlcPxqWtZNQ.exe
3764	EXJFFOSgYliuK9SKrPlmD4DI.exe
3856	KiDKrfGEOZFnMNlcPxqWtZNQ.exe
3856	KiDKrfGEOZFnMNlcPxqWtZNQ.exe
3764	EXJFFOSgYliuK9SKrPlmD4DI.exe
3764	EXJFFOSgYliuK9SKrPlmD4DI.exe
3856	KiDKrfGEOZFnMNlcPxqWtZNQ.exe
3856	KiDKrfGEOZFnMNlcPxqWtZNQ.exe
3764	EXJFFOSgYliuK9SKrPlmD4DI.exe
3764	EXJFFOSgYliuK9SKrPlmD4DI.exe
3636	jeIFeZnFMtOxggvMiEDB9wtH.exe
3636	jeIFeZnFMtOxggvMiEDB9wtH.exe
3636	jeIFeZnFMtOxggvMiEDB9wtH.exe
3636	jeIFeZnFMtOxggvMiEDB9wtH.exe
3636	jeIFeZnFMtOxggvMiEDB9wtH.exe
3636	jeIFeZnFMtOxggvMiEDB9wtH.exe
3636	jeIFeZnFMtOxggvMiEDB9wtH.exe
3636	jeIFeZnFMtOxggvMiEDB9wtH.exe
3636	jeIFeZnFMtOxggvMiEDB9wtH.exe
3636	jeIFeZnFMtOxggvMiEDB9wtH.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	2324	regsvcs.exe
Token: SeDebugPrivilege	372	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	3264	powershell.exe
Token: SeDebugPrivilege	4340	jeIFeZnFMtOxggvMiEDB9wtH.exe
Token: SeDebugPrivilege	4804	EXJFFOSgYliuK9SKrPlmD4DI.exe
Token: SeImpersonatePrivilege	4340	jeIFeZnFMtOxggvMiEDB9wtH.exe
Token: SeImpersonatePrivilege	4804	EXJFFOSgYliuK9SKrPlmD4DI.exe
Token: SeDebugPrivilege	4540	KiDKrfGEOZFnMNlcPxqWtZNQ.exe
Token: SeDebugPrivilege	4132	YIo8EHAhe4x0lr74YkyQyWCf.exe
Token: SeImpersonatePrivilege	4540	KiDKrfGEOZFnMNlcPxqWtZNQ.exe
Token: SeImpersonatePrivilege	4132	YIo8EHAhe4x0lr74YkyQyWCf.exe
Token: SeDebugPrivilege	3876	powershell.exe
Token: SeDebugPrivilege	3672	powershell.exe
Token: SeDebugPrivilege	4128	powershell.exe
Token: SeDebugPrivilege	3376	powershell.exe
Token: SeDebugPrivilege	5532	powershell.exe
Token: SeDebugPrivilege	5612	powershell.exe
Token: SeDebugPrivilege	5644	powershell.exe
Token: SeDebugPrivilege	5892	powershell.exe
Token: SeDebugPrivilege	3876	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	4352	powershell.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
3452	ub4.1.exe
3452	ub4.1.exe
3452	ub4.1.exe
3452	ub4.1.exe
3452	ub4.1.exe
3452	ub4.1.exe
3452	ub4.1.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
3452	ub4.1.exe
3452	ub4.1.exe
3452	ub4.1.exe
3452	ub4.1.exe
3452	ub4.1.exe
3452	ub4.1.exe
3452	ub4.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 956	2208	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe	91
PID 2208 wrote to memory of 956	2208	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe	91
PID 2208 wrote to memory of 2324	2208	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe	93
PID 2208 wrote to memory of 2324	2208	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe	93
PID 2208 wrote to memory of 2324	2208	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe	93
PID 2208 wrote to memory of 2324	2208	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe	93
PID 2208 wrote to memory of 2324	2208	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe	93
PID 2208 wrote to memory of 2324	2208	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe	93
PID 2208 wrote to memory of 2324	2208	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe	93
PID 2208 wrote to memory of 2324	2208	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe	93
PID 2208 wrote to memory of 3576	2208	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe	94
PID 2208 wrote to memory of 3576	2208	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe	94
PID 2208 wrote to memory of 3576	2208	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe	94
PID 2324 wrote to memory of 400	2324	regsvcs.exe	100
PID 2324 wrote to memory of 400	2324	regsvcs.exe	100
PID 2324 wrote to memory of 400	2324	regsvcs.exe	100
PID 2324 wrote to memory of 4540	2324	regsvcs.exe	101
PID 2324 wrote to memory of 4540	2324	regsvcs.exe	101
PID 2324 wrote to memory of 4540	2324	regsvcs.exe	101
PID 2324 wrote to memory of 4804	2324	regsvcs.exe	102
PID 2324 wrote to memory of 4804	2324	regsvcs.exe	102
PID 2324 wrote to memory of 4804	2324	regsvcs.exe	102
PID 2324 wrote to memory of 4340	2324	regsvcs.exe	103
PID 2324 wrote to memory of 4340	2324	regsvcs.exe	103
PID 2324 wrote to memory of 4340	2324	regsvcs.exe	103
PID 2324 wrote to memory of 4132	2324	regsvcs.exe	105
PID 2324 wrote to memory of 4132	2324	regsvcs.exe	105
PID 2324 wrote to memory of 4132	2324	regsvcs.exe	105
PID 400 wrote to memory of 4384	400	tehUCNoYrTKDGV6OXIKXpSpO.exe	106
PID 400 wrote to memory of 4384	400	tehUCNoYrTKDGV6OXIKXpSpO.exe	106
PID 400 wrote to memory of 4384	400	tehUCNoYrTKDGV6OXIKXpSpO.exe	106
PID 4340 wrote to memory of 548	4340	jeIFeZnFMtOxggvMiEDB9wtH.exe	109
PID 4340 wrote to memory of 548	4340	jeIFeZnFMtOxggvMiEDB9wtH.exe	109
PID 4340 wrote to memory of 548	4340	jeIFeZnFMtOxggvMiEDB9wtH.exe	109
PID 4540 wrote to memory of 372	4540	KiDKrfGEOZFnMNlcPxqWtZNQ.exe	111
PID 4540 wrote to memory of 372	4540	KiDKrfGEOZFnMNlcPxqWtZNQ.exe	111
PID 4540 wrote to memory of 372	4540	KiDKrfGEOZFnMNlcPxqWtZNQ.exe	111
PID 4804 wrote to memory of 936	4804	EXJFFOSgYliuK9SKrPlmD4DI.exe	114
PID 4804 wrote to memory of 936	4804	EXJFFOSgYliuK9SKrPlmD4DI.exe	114
PID 4804 wrote to memory of 936	4804	EXJFFOSgYliuK9SKrPlmD4DI.exe	114
PID 4132 wrote to memory of 3264	4132	YIo8EHAhe4x0lr74YkyQyWCf.exe	113
PID 4132 wrote to memory of 3264	4132	YIo8EHAhe4x0lr74YkyQyWCf.exe	113
PID 4132 wrote to memory of 3264	4132	YIo8EHAhe4x0lr74YkyQyWCf.exe	113
PID 3856 wrote to memory of 3876	3856	KiDKrfGEOZFnMNlcPxqWtZNQ.exe	152
PID 3856 wrote to memory of 3876	3856	KiDKrfGEOZFnMNlcPxqWtZNQ.exe	152
PID 3856 wrote to memory of 3876	3856	KiDKrfGEOZFnMNlcPxqWtZNQ.exe	152
PID 1596 wrote to memory of 3376	1596	YIo8EHAhe4x0lr74YkyQyWCf.exe	124
PID 1596 wrote to memory of 3376	1596	YIo8EHAhe4x0lr74YkyQyWCf.exe	124
PID 1596 wrote to memory of 3376	1596	YIo8EHAhe4x0lr74YkyQyWCf.exe	124
PID 3636 wrote to memory of 4128	3636	jeIFeZnFMtOxggvMiEDB9wtH.exe	125
PID 3636 wrote to memory of 4128	3636	jeIFeZnFMtOxggvMiEDB9wtH.exe	125
PID 3636 wrote to memory of 4128	3636	jeIFeZnFMtOxggvMiEDB9wtH.exe	125
PID 3764 wrote to memory of 3672	3764	EXJFFOSgYliuK9SKrPlmD4DI.exe	126
PID 3764 wrote to memory of 3672	3764	EXJFFOSgYliuK9SKrPlmD4DI.exe	126
PID 3764 wrote to memory of 3672	3764	EXJFFOSgYliuK9SKrPlmD4DI.exe	126
PID 3856 wrote to memory of 5236	3856	KiDKrfGEOZFnMNlcPxqWtZNQ.exe	131
PID 3856 wrote to memory of 5236	3856	KiDKrfGEOZFnMNlcPxqWtZNQ.exe	131
PID 3764 wrote to memory of 5252	3764	EXJFFOSgYliuK9SKrPlmD4DI.exe	133
PID 3764 wrote to memory of 5252	3764	EXJFFOSgYliuK9SKrPlmD4DI.exe	133
PID 5236 wrote to memory of 5324	5236	cmd.exe	135
PID 5236 wrote to memory of 5324	5236	cmd.exe	135
PID 5252 wrote to memory of 5332	5252	cmd.exe	136
PID 5252 wrote to memory of 5332	5252	cmd.exe	136
PID 3636 wrote to memory of 5368	3636	jeIFeZnFMtOxggvMiEDB9wtH.exe	137

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe

C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe
"C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe"
1⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\Pictures\tehUCNoYrTKDGV6OXIKXpSpO.exe
    "C:\Users\Admin\Pictures\tehUCNoYrTKDGV6OXIKXpSpO.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:400
  - - C:\Users\Admin\AppData\Local\Temp\ub4.0.exe
      "C:\Users\Admin\AppData\Local\Temp\ub4.0.exe"
      4⤵
      Executes dropped EXE
      PID:4384
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 828
        5⤵
        Program crash
        
        PID:4468
  - - C:\Users\Admin\AppData\Local\Temp\ub4.1.exe
      "C:\Users\Admin\AppData\Local\Temp\ub4.1.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:3452
    - - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        5⤵
        
        PID:4720
- - C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe
    "C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4540
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:372
  - - C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe
      "C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe"
      4⤵
      Executes dropped EXE
      Checks for VirtualBox DLLs, possible anti-VM trick
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3856
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3876
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5236
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:5324
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:5892
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5904
- - C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe
    "C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4804
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:936
  - - C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe
      "C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe"
      4⤵
      Executes dropped EXE
      Checks for VirtualBox DLLs, possible anti-VM trick
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3764
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3672
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5252
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:5332
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:5532
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
- - C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe
    "C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4340
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:548
  - - C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe
      "C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe"
      4⤵
      Executes dropped EXE
      Checks for VirtualBox DLLs, possible anti-VM trick
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3636
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4128
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:5368
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:5468
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:5612
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:3876
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        
        PID:6040
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5688
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:6068
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:6136
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5992
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5852
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        
        PID:4064
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:60
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        Launches sc.exe
        
        PID:5336
- - C:\Users\Admin\Pictures\YIo8EHAhe4x0lr74YkyQyWCf.exe
    "C:\Users\Admin\Pictures\YIo8EHAhe4x0lr74YkyQyWCf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4132
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3264
  - - C:\Users\Admin\Pictures\YIo8EHAhe4x0lr74YkyQyWCf.exe
      "C:\Users\Admin\Pictures\YIo8EHAhe4x0lr74YkyQyWCf.exe"
      4⤵
      Executes dropped EXE
      Checks for VirtualBox DLLs, possible anti-VM trick
      Modifies data under HKEY_USERS
      Suspicious use of WriteProcessMemory
      PID:1596
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3376
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:5412
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:5516
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:5644
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:4352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
  2⤵
  PID:3576

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:5268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4384 -ip 4384
1⤵
PID:5484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery