2bde8a0357a3e9c2202962b1c941198d8389709b1e34abf10b11bdd70fe70060

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2bde8a0357a3e9c2202962b1c941198d8389709b1e34abf10b11bdd70fe70060.exe

Windows security bypass 2 TTPs 2 IoCs

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	2bde8a0357a3e9c2202962b1c941198d8389709b1e34abf10b11bdd70fe70060.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\2bde8a0357a3e9c2202962b1c941198d8389709b1e34abf10b11bdd70fe70060.exe = "0"	2bde8a0357a3e9c2202962b1c941198d8389709b1e34abf10b11bdd70fe70060.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4176	powershell.exe

Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rFo0LvjrQXDjtWSSiHGTJjYg.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x0OqoIxr2R9iBHq2Lq1Gi781.bat	msbuild.exe

Executes dropped EXE 1 IoCs

pid	Process
1436	uE8Bl6pmVrKzO0diTkd9NJzK.exe

Windows security modification 2 TTPs 3 IoCs

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	2bde8a0357a3e9c2202962b1c941198d8389709b1e34abf10b11bdd70fe70060.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\2bde8a0357a3e9c2202962b1c941198d8389709b1e34abf10b11bdd70fe70060.exe = "0"	2bde8a0357a3e9c2202962b1c941198d8389709b1e34abf10b11bdd70fe70060.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	2bde8a0357a3e9c2202962b1c941198d8389709b1e34abf10b11bdd70fe70060.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2bde8a0357a3e9c2202962b1c941198d8389709b1e34abf10b11bdd70fe70060.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2bde8a0357a3e9c2202962b1c941198d8389709b1e34abf10b11bdd70fe70060.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com
2	raw.githubusercontent.com
4	pastebin.com
13	raw.githubusercontent.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3216 set thread context of 1600	3216	2bde8a0357a3e9c2202962b1c941198d8389709b1e34abf10b11bdd70fe70060.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uE8Bl6pmVrKzO0diTkd9NJzK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4176	powershell.exe
4176	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4176	powershell.exe
Token: SeDebugPrivilege	1600	msbuild.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3216 wrote to memory of 4176	3216	2bde8a0357a3e9c2202962b1c941198d8389709b1e34abf10b11bdd70fe70060.exe	83
PID 3216 wrote to memory of 4176	3216	2bde8a0357a3e9c2202962b1c941198d8389709b1e34abf10b11bdd70fe70060.exe	83
PID 3216 wrote to memory of 1600	3216	2bde8a0357a3e9c2202962b1c941198d8389709b1e34abf10b11bdd70fe70060.exe	85
PID 3216 wrote to memory of 1600	3216	2bde8a0357a3e9c2202962b1c941198d8389709b1e34abf10b11bdd70fe70060.exe	85
PID 3216 wrote to memory of 1600	3216	2bde8a0357a3e9c2202962b1c941198d8389709b1e34abf10b11bdd70fe70060.exe	85
PID 3216 wrote to memory of 1600	3216	2bde8a0357a3e9c2202962b1c941198d8389709b1e34abf10b11bdd70fe70060.exe	85
PID 3216 wrote to memory of 1600	3216	2bde8a0357a3e9c2202962b1c941198d8389709b1e34abf10b11bdd70fe70060.exe	85
PID 3216 wrote to memory of 1600	3216	2bde8a0357a3e9c2202962b1c941198d8389709b1e34abf10b11bdd70fe70060.exe	85
PID 3216 wrote to memory of 1600	3216	2bde8a0357a3e9c2202962b1c941198d8389709b1e34abf10b11bdd70fe70060.exe	85
PID 3216 wrote to memory of 1600	3216	2bde8a0357a3e9c2202962b1c941198d8389709b1e34abf10b11bdd70fe70060.exe	85
PID 3216 wrote to memory of 1936	3216	2bde8a0357a3e9c2202962b1c941198d8389709b1e34abf10b11bdd70fe70060.exe	86
PID 3216 wrote to memory of 1936	3216	2bde8a0357a3e9c2202962b1c941198d8389709b1e34abf10b11bdd70fe70060.exe	86
PID 3216 wrote to memory of 1936	3216	2bde8a0357a3e9c2202962b1c941198d8389709b1e34abf10b11bdd70fe70060.exe	86
PID 1600 wrote to memory of 1436	1600	msbuild.exe	90
PID 1600 wrote to memory of 1436	1600	msbuild.exe	90
PID 1600 wrote to memory of 1436	1600	msbuild.exe	90

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2bde8a0357a3e9c2202962b1c941198d8389709b1e34abf10b11bdd70fe70060.exe

C:\Users\Admin\AppData\Local\Temp\2bde8a0357a3e9c2202962b1c941198d8389709b1e34abf10b11bdd70fe70060.exe
"C:\Users\Admin\AppData\Local\Temp\2bde8a0357a3e9c2202962b1c941198d8389709b1e34abf10b11bdd70fe70060.exe"
1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2bde8a0357a3e9c2202962b1c941198d8389709b1e34abf10b11bdd70fe70060.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Users\Admin\Pictures\uE8Bl6pmVrKzO0diTkd9NJzK.exe
    "C:\Users\Admin\Pictures\uE8Bl6pmVrKzO0diTkd9NJzK.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
  2⤵
  PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

3

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service