5abfd9a755941262e7c68d0d64a15260810cd9ec73244287c957c316c587a3e1

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cli_gui.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3024	powershell.exe
840	powershell.exe
2896	powershell.exe
2412	powershell.exe
2068	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cli_gui.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cli_gui.exe

Executes dropped EXE 3 IoCs

pid	Process
2760	cli_gui.exe
2748	updater.exe
2808	updater.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx	svchost.exe

Loads dropped DLL 4 IoCs

pid	Process
2004	weave.exe
2000	conhost.exe
2004	weave.exe
568	taskeng.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0008000000016c49-5.dat	themida
behavioral1/memory/2760-11-0x000000013F6A0000-0x000000013FEDE000-memory.dmp	themida
behavioral1/memory/2760-25-0x000000013F6A0000-0x000000013FEDE000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cli_gui.exe

Power Settings 1 TTPs 10 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
908	cmd.exe
2828	powercfg.exe
448	powercfg.exe
2556	powercfg.exe
2228	cmd.exe
1576	powercfg.exe
1604	powercfg.exe
2184	powercfg.exe
2920	powercfg.exe
2660	powercfg.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\MicrosoftEdge	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\syscfg.cfg	weave.exe
File created	C:\Windows\system32\updater.exe	weave.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\System32\Tasks\MicrosoftEdge	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2004	weave.exe
2760	cli_gui.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2748 set thread context of 1380	2748	updater.exe	48
PID 2808 set thread context of 1888	2808	updater.exe	71
PID 2808 set thread context of 2712	2808	updater.exe	79
PID 2808 set thread context of 2628	2808	updater.exe	80

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft\Edge\updater.exe	updater.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2476	sc.exe
596	sc.exe
1652	sc.exe
2172	sc.exe
2340	sc.exe
1088	sc.exe
1800	sc.exe
2236	sc.exe
2168	sc.exe
3004	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	weave.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 9068f582aaf3da01	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2708	schtasks.exe
2648	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2004	weave.exe
2004	weave.exe
2004	weave.exe
2004	weave.exe
2004	weave.exe
2896	powershell.exe
2748	updater.exe
2748	updater.exe
3024	powershell.exe
2748	updater.exe
2748	updater.exe
2748	updater.exe
2748	updater.exe
2748	updater.exe
2748	updater.exe
2748	updater.exe
2748	updater.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
2412	powershell.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
2748	updater.exe
2748	updater.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe
1380	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	1380	dialer.exe
Token: SeShutdownPrivilege	2184	powercfg.exe
Token: SeAuditPrivilege	860	svchost.exe
Token: SeShutdownPrivilege	2920	powercfg.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeShutdownPrivilege	2660	powercfg.exe
Token: SeShutdownPrivilege	2556	powercfg.exe
Token: SeAuditPrivilege	860	svchost.exe
Token: SeAuditPrivilege	860	svchost.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeShutdownPrivilege	1576	powercfg.exe
Token: SeDebugPrivilege	1888	dialer.exe
Token: SeAuditPrivilege	860	svchost.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeShutdownPrivilege	2828	powercfg.exe
Token: SeShutdownPrivilege	448	powercfg.exe
Token: SeShutdownPrivilege	1604	powercfg.exe
Token: SeDebugPrivilege	2808	updater.exe
Token: SeLockMemoryPrivilege	2628	dialer.exe
Token: SeAssignPrimaryTokenPrivilege	860	svchost.exe
Token: SeIncreaseQuotaPrivilege	860	svchost.exe
Token: SeSecurityPrivilege	860	svchost.exe
Token: SeTakeOwnershipPrivilege	860	svchost.exe
Token: SeLoadDriverPrivilege	860	svchost.exe
Token: SeSystemtimePrivilege	860	svchost.exe
Token: SeBackupPrivilege	860	svchost.exe
Token: SeRestorePrivilege	860	svchost.exe
Token: SeShutdownPrivilege	860	svchost.exe
Token: SeSystemEnvironmentPrivilege	860	svchost.exe
Token: SeUndockPrivilege	860	svchost.exe
Token: SeManageVolumePrivilege	860	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	860	svchost.exe
Token: SeIncreaseQuotaPrivilege	860	svchost.exe
Token: SeSecurityPrivilege	860	svchost.exe
Token: SeTakeOwnershipPrivilege	860	svchost.exe
Token: SeLoadDriverPrivilege	860	svchost.exe
Token: SeSystemtimePrivilege	860	svchost.exe
Token: SeBackupPrivilege	860	svchost.exe
Token: SeRestorePrivilege	860	svchost.exe
Token: SeShutdownPrivilege	860	svchost.exe
Token: SeSystemEnvironmentPrivilege	860	svchost.exe
Token: SeUndockPrivilege	860	svchost.exe
Token: SeManageVolumePrivilege	860	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	860	svchost.exe
Token: SeIncreaseQuotaPrivilege	860	svchost.exe
Token: SeSecurityPrivilege	860	svchost.exe
Token: SeTakeOwnershipPrivilege	860	svchost.exe
Token: SeLoadDriverPrivilege	860	svchost.exe
Token: SeSystemtimePrivilege	860	svchost.exe
Token: SeBackupPrivilege	860	svchost.exe
Token: SeRestorePrivilege	860	svchost.exe
Token: SeShutdownPrivilege	860	svchost.exe
Token: SeSystemEnvironmentPrivilege	860	svchost.exe
Token: SeUndockPrivilege	860	svchost.exe
Token: SeManageVolumePrivilege	860	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	860	svchost.exe
Token: SeIncreaseQuotaPrivilege	860	svchost.exe
Token: SeSecurityPrivilege	860	svchost.exe
Token: SeTakeOwnershipPrivilege	860	svchost.exe
Token: SeLoadDriverPrivilege	860	svchost.exe
Token: SeSystemtimePrivilege	860	svchost.exe
Token: SeBackupPrivilege	860	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2004	weave.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2760	2004	weave.exe	31
PID 2004 wrote to memory of 2760	2004	weave.exe	31
PID 2004 wrote to memory of 2760	2004	weave.exe	31
PID 2004 wrote to memory of 2760	2004	weave.exe	31
PID 2004 wrote to memory of 2748	2004	weave.exe	33
PID 2004 wrote to memory of 2748	2004	weave.exe	33
PID 2004 wrote to memory of 2748	2004	weave.exe	33
PID 2004 wrote to memory of 2748	2004	weave.exe	33
PID 2760 wrote to memory of 2052	2760	cli_gui.exe	34
PID 2760 wrote to memory of 2052	2760	cli_gui.exe	34
PID 2760 wrote to memory of 2052	2760	cli_gui.exe	34
PID 2052 wrote to memory of 2896	2052	cmd.exe	35
PID 2052 wrote to memory of 2896	2052	cmd.exe	35
PID 2052 wrote to memory of 2896	2052	cmd.exe	35
PID 2760 wrote to memory of 2536	2760	cli_gui.exe	36
PID 2760 wrote to memory of 2536	2760	cli_gui.exe	36
PID 2760 wrote to memory of 2536	2760	cli_gui.exe	36
PID 2264 wrote to memory of 2476	2264	cmd.exe	41
PID 2264 wrote to memory of 2476	2264	cmd.exe	41
PID 2264 wrote to memory of 2476	2264	cmd.exe	41
PID 2264 wrote to memory of 2236	2264	cmd.exe	42
PID 2264 wrote to memory of 2236	2264	cmd.exe	42
PID 2264 wrote to memory of 2236	2264	cmd.exe	42
PID 2264 wrote to memory of 1800	2264	cmd.exe	43
PID 2264 wrote to memory of 1800	2264	cmd.exe	43
PID 2264 wrote to memory of 1800	2264	cmd.exe	43
PID 2264 wrote to memory of 1088	2264	cmd.exe	44
PID 2264 wrote to memory of 1088	2264	cmd.exe	44
PID 2264 wrote to memory of 1088	2264	cmd.exe	44
PID 2264 wrote to memory of 2168	2264	cmd.exe	45
PID 2264 wrote to memory of 2168	2264	cmd.exe	45
PID 2264 wrote to memory of 2168	2264	cmd.exe	45
PID 2748 wrote to memory of 1380	2748	updater.exe	48
PID 1380 wrote to memory of 432	1380	dialer.exe	5
PID 1380 wrote to memory of 476	1380	dialer.exe	6
PID 1380 wrote to memory of 492	1380	dialer.exe	7
PID 1380 wrote to memory of 500	1380	dialer.exe	8
PID 1380 wrote to memory of 604	1380	dialer.exe	9
PID 1380 wrote to memory of 680	1380	dialer.exe	10
PID 1380 wrote to memory of 740	1380	dialer.exe	11
PID 1380 wrote to memory of 816	1380	dialer.exe	12
PID 1380 wrote to memory of 860	1380	dialer.exe	13
PID 1380 wrote to memory of 976	1380	dialer.exe	15
PID 1380 wrote to memory of 280	1380	dialer.exe	16
PID 1380 wrote to memory of 236	1380	dialer.exe	17
PID 908 wrote to memory of 2184	908	cmd.exe	51
PID 908 wrote to memory of 2184	908	cmd.exe	51
PID 908 wrote to memory of 2184	908	cmd.exe	51
PID 1380 wrote to memory of 1032	1380	dialer.exe	18
PID 1380 wrote to memory of 1116	1380	dialer.exe	19
PID 1380 wrote to memory of 1172	1380	dialer.exe	20
PID 1380 wrote to memory of 1244	1380	dialer.exe	21
PID 1380 wrote to memory of 1528	1380	dialer.exe	23
PID 1380 wrote to memory of 372	1380	dialer.exe	24
PID 1380 wrote to memory of 1736	1380	dialer.exe	27
PID 1380 wrote to memory of 2504	1380	dialer.exe	28
PID 1380 wrote to memory of 2760	1380	dialer.exe	31
PID 1380 wrote to memory of 2000	1380	dialer.exe	32
PID 1380 wrote to memory of 2748	1380	dialer.exe	33
PID 1380 wrote to memory of 908	1380	dialer.exe	46
PID 1380 wrote to memory of 2856	1380	dialer.exe	47
PID 1380 wrote to memory of 2412	1380	dialer.exe	49
PID 1380 wrote to memory of 1664	1380	dialer.exe	50
PID 908 wrote to memory of 2920	908	cmd.exe	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:476
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:604
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1528
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    - Checks processor information in registry
    PID:2508
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:680
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Modifies security service
  - Indicator Removal: Clear Windows Event Logs
  PID:740
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:816
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1172
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:860
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {474017B0-C969-4C52-81CF-C16DD570CD38} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    - Loads dropped DLL
    PID:568
  - - C:\Program Files\Microsoft\Edge\updater.exe
      "C:\Program Files\Microsoft\Edge\updater.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      PID:2808
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:976
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:280
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:236
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1032
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1116
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:372
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1736
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2504

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:500

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244
- C:\Users\Admin\AppData\Local\Temp\weave.exe
  "C:\Users\Admin\AppData\Local\Temp\weave.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Users\Admin\AppData\Local\Temp\cli_gui.exe
    "C:\Users\Admin\AppData\Local\Temp\cli_gui.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\windows\system32'" > NUL 2>&1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath 'C:\windows\system32'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2536
- - C:\Windows\system32\updater.exe
    "C:\Windows\system32\updater.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2476
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2236
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1800
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1088
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2168
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2184
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2920
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2660
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2556
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lfvbfbo#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MicrosoftEdge' /tr '''C:\Program Files\Microsoft\Edge\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Microsoft\Edge\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MicrosoftEdge' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn MicrosoftEdge /tr "'C:\Program Files\Microsoft\Edge\updater.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2648
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "MicrosoftEdge"
  2⤵
  PID:1088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:840
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:872
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3004
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2172
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:596
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2340
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1652
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:2228
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1576
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2828
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:448
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1604
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lfvbfbo#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MicrosoftEdge' /tr '''C:\Program Files\Microsoft\Edge\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Microsoft\Edge\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MicrosoftEdge' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn MicrosoftEdge /tr "'C:\Program Files\Microsoft\Edge\updater.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2708
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:2712
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "256531863-1673963652-18017745571630891284-187834172-12194216033939224-1630978395"
1⤵
- Loads dropped DLL
PID:2000

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1979750982916363687-18428747831015800281356654884-1398927397-586381675516650180"
1⤵
PID:2856

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-386073150-328015804-1170124881454529095442657093759225258859366343-467122516"
1⤵
PID:1664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-109539938277734319974617199-1560126414-17420531109221793411149173209-1502617217"
1⤵
PID:2168

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-976939831-149127351016809566793468127591024068653110659266109222746605945145"
1⤵
PID:2116

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1334727067584712891888032380389270799325285979-4128321451593680490-1534129883"
1⤵
PID:1064

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1121482654750575657-246607512-20090608411153687055105643140-911245231866650686"
1⤵
PID:1872

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1027385200113426842-449611820-17483803761249044441579855998536704194329110428"
1⤵
PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

System Information Discovery