fdf02306a9abf9914892e30ef92b08d07e54fb23be023f5f451125383eb69cfd

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cli_gui.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1044	powershell.exe
448	powershell.exe
3036	powershell.exe
2680	powershell.exe
1188	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cli_gui.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cli_gui.exe

Executes dropped EXE 3 IoCs

pid	Process
2676	cli_gui.exe
2824	updater.exe
2532	updater.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx	svchost.exe

Loads dropped DLL 4 IoCs

pid	Process
2692	weave.exe
2692	weave.exe
2408	conhost.exe
1436	taskeng.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x00070000000186fd-9.dat	themida
behavioral1/memory/2676-15-0x000000013F4C0000-0x000000013FD62000-memory.dmp	themida
behavioral1/memory/2676-26-0x000000013F4C0000-0x000000013FD62000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cli_gui.exe

Power Settings 1 TTPs 10 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3016	powercfg.exe
1680	powercfg.exe
1612	powercfg.exe
2752	powercfg.exe
2660	powercfg.exe
1580	powercfg.exe
1244	powercfg.exe
1936	cmd.exe
1620	cmd.exe
1868	powercfg.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\syscfg.cfg	weave.exe
File created	C:\Windows\system32\updater.exe	weave.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\System32\Tasks\MicrosoftEdge	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\MicrosoftEdge	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2692	weave.exe
2692	weave.exe
2676	cli_gui.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2824 set thread context of 544	2824	updater.exe	47
PID 2532 set thread context of 2776	2532	updater.exe	70
PID 2532 set thread context of 1316	2532	updater.exe	77
PID 2532 set thread context of 1772	2532	updater.exe	79

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft\Edge\updater.exe	updater.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2896	sc.exe
2892	sc.exe
2988	sc.exe
2880	sc.exe
2920	sc.exe
1780	sc.exe
3044	sc.exe
2520	sc.exe
1892	sc.exe
2976	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	weave.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 20132bcb4900db01	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2432	schtasks.exe
2252	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2692	weave.exe
2692	weave.exe
2692	weave.exe
2692	weave.exe
2692	weave.exe
2692	weave.exe
2692	weave.exe
3036	powershell.exe
2824	updater.exe
2824	updater.exe
1044	powershell.exe
2824	updater.exe
2824	updater.exe
2824	updater.exe
2824	updater.exe
2824	updater.exe
2824	updater.exe
2824	updater.exe
2824	updater.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe
1188	powershell.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe
2824	updater.exe
2824	updater.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe
544	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	544	dialer.exe
Token: SeShutdownPrivilege	1612	powercfg.exe
Token: SeAuditPrivilege	856	svchost.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeShutdownPrivilege	2752	powercfg.exe
Token: SeShutdownPrivilege	2660	powercfg.exe
Token: SeShutdownPrivilege	3016	powercfg.exe
Token: SeAuditPrivilege	856	svchost.exe
Token: SeAuditPrivilege	856	svchost.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeAuditPrivilege	856	svchost.exe
Token: SeDebugPrivilege	2776	dialer.exe
Token: SeShutdownPrivilege	1680	powercfg.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeShutdownPrivilege	1868	powercfg.exe
Token: SeShutdownPrivilege	1580	powercfg.exe
Token: SeDebugPrivilege	2532	updater.exe
Token: SeShutdownPrivilege	1244	powercfg.exe
Token: SeLockMemoryPrivilege	1772	dialer.exe
Token: SeAssignPrimaryTokenPrivilege	856	svchost.exe
Token: SeIncreaseQuotaPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeTakeOwnershipPrivilege	856	svchost.exe
Token: SeLoadDriverPrivilege	856	svchost.exe
Token: SeSystemtimePrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeRestorePrivilege	856	svchost.exe
Token: SeShutdownPrivilege	856	svchost.exe
Token: SeSystemEnvironmentPrivilege	856	svchost.exe
Token: SeUndockPrivilege	856	svchost.exe
Token: SeManageVolumePrivilege	856	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	856	svchost.exe
Token: SeIncreaseQuotaPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeTakeOwnershipPrivilege	856	svchost.exe
Token: SeLoadDriverPrivilege	856	svchost.exe
Token: SeSystemtimePrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeRestorePrivilege	856	svchost.exe
Token: SeShutdownPrivilege	856	svchost.exe
Token: SeSystemEnvironmentPrivilege	856	svchost.exe
Token: SeUndockPrivilege	856	svchost.exe
Token: SeManageVolumePrivilege	856	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	856	svchost.exe
Token: SeIncreaseQuotaPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeTakeOwnershipPrivilege	856	svchost.exe
Token: SeLoadDriverPrivilege	856	svchost.exe
Token: SeSystemtimePrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe
Token: SeRestorePrivilege	856	svchost.exe
Token: SeShutdownPrivilege	856	svchost.exe
Token: SeSystemEnvironmentPrivilege	856	svchost.exe
Token: SeUndockPrivilege	856	svchost.exe
Token: SeManageVolumePrivilege	856	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	856	svchost.exe
Token: SeIncreaseQuotaPrivilege	856	svchost.exe
Token: SeSecurityPrivilege	856	svchost.exe
Token: SeTakeOwnershipPrivilege	856	svchost.exe
Token: SeLoadDriverPrivilege	856	svchost.exe
Token: SeSystemtimePrivilege	856	svchost.exe
Token: SeBackupPrivilege	856	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2692	weave.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2676	2692	weave.exe	30
PID 2692 wrote to memory of 2676	2692	weave.exe	30
PID 2692 wrote to memory of 2676	2692	weave.exe	30
PID 2692 wrote to memory of 2676	2692	weave.exe	30
PID 2692 wrote to memory of 2824	2692	weave.exe	32
PID 2692 wrote to memory of 2824	2692	weave.exe	32
PID 2692 wrote to memory of 2824	2692	weave.exe	32
PID 2692 wrote to memory of 2824	2692	weave.exe	32
PID 2676 wrote to memory of 2572	2676	cli_gui.exe	33
PID 2676 wrote to memory of 2572	2676	cli_gui.exe	33
PID 2676 wrote to memory of 2572	2676	cli_gui.exe	33
PID 2572 wrote to memory of 3036	2572	cmd.exe	34
PID 2572 wrote to memory of 3036	2572	cmd.exe	34
PID 2572 wrote to memory of 3036	2572	cmd.exe	34
PID 2676 wrote to memory of 2620	2676	cli_gui.exe	35
PID 2676 wrote to memory of 2620	2676	cli_gui.exe	35
PID 2676 wrote to memory of 2620	2676	cli_gui.exe	35
PID 2864 wrote to memory of 2880	2864	cmd.exe	40
PID 2864 wrote to memory of 2880	2864	cmd.exe	40
PID 2864 wrote to memory of 2880	2864	cmd.exe	40
PID 2864 wrote to memory of 2896	2864	cmd.exe	41
PID 2864 wrote to memory of 2896	2864	cmd.exe	41
PID 2864 wrote to memory of 2896	2864	cmd.exe	41
PID 2864 wrote to memory of 2892	2864	cmd.exe	42
PID 2864 wrote to memory of 2892	2864	cmd.exe	42
PID 2864 wrote to memory of 2892	2864	cmd.exe	42
PID 2864 wrote to memory of 2920	2864	cmd.exe	43
PID 2864 wrote to memory of 2920	2864	cmd.exe	43
PID 2864 wrote to memory of 2920	2864	cmd.exe	43
PID 2864 wrote to memory of 2988	2864	cmd.exe	44
PID 2864 wrote to memory of 2988	2864	cmd.exe	44
PID 2864 wrote to memory of 2988	2864	cmd.exe	44
PID 2824 wrote to memory of 544	2824	updater.exe	47
PID 1936 wrote to memory of 1612	1936	cmd.exe	50
PID 1936 wrote to memory of 1612	1936	cmd.exe	50
PID 1936 wrote to memory of 1612	1936	cmd.exe	50
PID 544 wrote to memory of 432	544	dialer.exe	5
PID 544 wrote to memory of 480	544	dialer.exe	6
PID 544 wrote to memory of 488	544	dialer.exe	7
PID 544 wrote to memory of 496	544	dialer.exe	8
PID 544 wrote to memory of 588	544	dialer.exe	9
PID 544 wrote to memory of 672	544	dialer.exe	10
PID 544 wrote to memory of 748	544	dialer.exe	11
PID 544 wrote to memory of 816	544	dialer.exe	12
PID 544 wrote to memory of 856	544	dialer.exe	13
PID 544 wrote to memory of 968	544	dialer.exe	15
PID 544 wrote to memory of 112	544	dialer.exe	16
PID 544 wrote to memory of 352	544	dialer.exe	17
PID 544 wrote to memory of 1052	544	dialer.exe	18
PID 544 wrote to memory of 1088	544	dialer.exe	19
PID 544 wrote to memory of 1140	544	dialer.exe	20
PID 544 wrote to memory of 1164	544	dialer.exe	21
PID 544 wrote to memory of 2004	544	dialer.exe	23
PID 544 wrote to memory of 864	544	dialer.exe	24
PID 544 wrote to memory of 1480	544	dialer.exe	26
PID 544 wrote to memory of 2160	544	dialer.exe	27
PID 544 wrote to memory of 2676	544	dialer.exe	30
PID 544 wrote to memory of 2408	544	dialer.exe	31
PID 544 wrote to memory of 2824	544	dialer.exe	32
PID 544 wrote to memory of 1936	544	dialer.exe	45
PID 544 wrote to memory of 1980	544	dialer.exe	46
PID 544 wrote to memory of 1188	544	dialer.exe	48
PID 544 wrote to memory of 2384	544	dialer.exe	49
PID 544 wrote to memory of 1612	544	dialer.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:480
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:588
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:2004
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    - Checks processor information in registry
    PID:1652
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -Embedding
    3⤵
    PID:2724
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:672
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Modifies security service
  - Indicator Removal: Clear Windows Event Logs
  PID:748
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:816
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1140
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:856
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {BDED5446-CB5E-4AB5-9B4D-9DA6CCF93A78} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    - Loads dropped DLL
    PID:1436
  - - C:\Program Files\Microsoft\Edge\updater.exe
      "C:\Program Files\Microsoft\Edge\updater.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      PID:2532
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:968
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:112
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:352
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1052
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1088
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:864
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1480
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2160

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:488

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:496

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1164
- C:\Users\Admin\AppData\Local\Temp\weave.exe
  "C:\Users\Admin\AppData\Local\Temp\weave.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Users\Admin\AppData\Local\Temp\cli_gui.exe
    "C:\Users\Admin\AppData\Local\Temp\cli_gui.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\windows\system32'" > NUL 2>&1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath 'C:\windows\system32'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2620
- - C:\Windows\system32\updater.exe
    "C:\Windows\system32\updater.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1044
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2880
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2896
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2892
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2920
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2988
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1612
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2660
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3016
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lfvbfbo#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MicrosoftEdge' /tr '''C:\Program Files\Microsoft\Edge\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Microsoft\Edge\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MicrosoftEdge' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1188
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn MicrosoftEdge /tr "'C:\Program Files\Microsoft\Edge\updater.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2432
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "MicrosoftEdge"
  2⤵
  PID:264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:448
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:980
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1780
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3044
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2520
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1892
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2976
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:1620
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1680
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1868
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1580
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1244
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lfvbfbo#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MicrosoftEdge' /tr '''C:\Program Files\Microsoft\Edge\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Microsoft\Edge\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MicrosoftEdge' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn MicrosoftEdge /tr "'C:\Program Files\Microsoft\Edge\updater.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2252
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:1316
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1772

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "961594437-613884605-166633498917033333291108930349462073106558817752113504042"
1⤵
- Loads dropped DLL
PID:2408

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-919603522-101330215-377633173334443709-131829107-2007654081-1656222640-10852396"
1⤵
PID:1980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-499235143-17446417961387007416242327353289346227-2534166303557450631980014389"
1⤵
PID:2384

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2097868737-1151772619-1722936738658990339-9208918012129343807-86187945231985917"
1⤵
PID:2420

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1866611900-1934324373-1910471296-502425995342306852-1146352687909183117-66600735"
1⤵
PID:1624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9200344851113385966-639039973-7885940931785339866-1077509981-10233729501734073752"
1⤵
PID:1576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1597540331-866308286-1135928739-1004265539617598180672422462-269386733-1379328040"
1⤵
PID:2936

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "239216863-28922434-2601847952046556608-10415735822077985478644670959-2112705190"
1⤵
PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

System Information Discovery