f10ced67a54ca6ec4b98bae2c08f638497a40577313a606501d795606fcc7bfc

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cli_gui.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2484	powershell.exe
2180	powershell.exe
2876	powershell.exe
2664	powershell.exe
608	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cli_gui.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cli_gui.exe

Executes dropped EXE 3 IoCs

pid	Process
2804	cli_gui.exe
3044	updater.exe
884	updater.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx	svchost.exe

Loads dropped DLL 4 IoCs

pid	Process
1716	weave.exe
2904	conhost.exe
1716	weave.exe
1444	taskeng.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x00070000000186d9-14.dat	themida
behavioral1/memory/2804-20-0x000000013F1E0000-0x000000013FA94000-memory.dmp	themida
behavioral1/memory/2804-35-0x000000013F1E0000-0x000000013FA94000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cli_gui.exe

Power Settings 1 TTPs 10 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2344	powercfg.exe
2404	powercfg.exe
2272	cmd.exe
2136	powercfg.exe
2216	powercfg.exe
628	powercfg.exe
1688	powercfg.exe
2084	powercfg.exe
3000	powercfg.exe
2004	cmd.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\System32\Tasks\MicrosoftEdge	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\MicrosoftEdge	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\syscfg.cfg	weave.exe
File created	C:\Windows\system32\updater.exe	weave.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
1716	weave.exe
1716	weave.exe
1716	weave.exe
1716	weave.exe
2804	cli_gui.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3044 set thread context of 2500	3044	updater.exe	47
PID 884 set thread context of 1580	884	updater.exe	71
PID 884 set thread context of 1176	884	updater.exe	78
PID 884 set thread context of 1380	884	updater.exe	79

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft\Edge\updater.exe	updater.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2916	sc.exe
1856	sc.exe
1572	sc.exe
2188	sc.exe
2356	sc.exe
1948	sc.exe
1488	sc.exe
2264	sc.exe
2336	sc.exe
2984	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	weave.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 20f93bc22d01db01	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1952	schtasks.exe
824	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1716	weave.exe
1716	weave.exe
1716	weave.exe
1716	weave.exe
1716	weave.exe
1716	weave.exe
2876	powershell.exe
3044	updater.exe
3044	updater.exe
2664	powershell.exe
3044	updater.exe
3044	updater.exe
3044	updater.exe
3044	updater.exe
3044	updater.exe
3044	updater.exe
3044	updater.exe
3044	updater.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
2484	powershell.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
3044	updater.exe
3044	updater.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe
2500	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2500	dialer.exe
Token: SeShutdownPrivilege	2084	powercfg.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeShutdownPrivilege	2136	powercfg.exe
Token: SeShutdownPrivilege	2216	powercfg.exe
Token: SeShutdownPrivilege	3000	powercfg.exe
Token: SeAuditPrivilege	848	svchost.exe
Token: SeAuditPrivilege	848	svchost.exe
Token: SeDebugPrivilege	608	powershell.exe
Token: SeShutdownPrivilege	628	powercfg.exe
Token: SeShutdownPrivilege	1688	powercfg.exe
Token: SeDebugPrivilege	1580	dialer.exe
Token: SeAuditPrivilege	848	svchost.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeShutdownPrivilege	2344	powercfg.exe
Token: SeShutdownPrivilege	2404	powercfg.exe
Token: SeDebugPrivilege	884	updater.exe
Token: SeLockMemoryPrivilege	1380	dialer.exe
Token: SeAssignPrimaryTokenPrivilege	848	svchost.exe
Token: SeIncreaseQuotaPrivilege	848	svchost.exe
Token: SeSecurityPrivilege	848	svchost.exe
Token: SeTakeOwnershipPrivilege	848	svchost.exe
Token: SeLoadDriverPrivilege	848	svchost.exe
Token: SeSystemtimePrivilege	848	svchost.exe
Token: SeBackupPrivilege	848	svchost.exe
Token: SeRestorePrivilege	848	svchost.exe
Token: SeShutdownPrivilege	848	svchost.exe
Token: SeSystemEnvironmentPrivilege	848	svchost.exe
Token: SeUndockPrivilege	848	svchost.exe
Token: SeManageVolumePrivilege	848	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	848	svchost.exe
Token: SeIncreaseQuotaPrivilege	848	svchost.exe
Token: SeSecurityPrivilege	848	svchost.exe
Token: SeTakeOwnershipPrivilege	848	svchost.exe
Token: SeLoadDriverPrivilege	848	svchost.exe
Token: SeSystemtimePrivilege	848	svchost.exe
Token: SeBackupPrivilege	848	svchost.exe
Token: SeRestorePrivilege	848	svchost.exe
Token: SeShutdownPrivilege	848	svchost.exe
Token: SeSystemEnvironmentPrivilege	848	svchost.exe
Token: SeUndockPrivilege	848	svchost.exe
Token: SeManageVolumePrivilege	848	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	848	svchost.exe
Token: SeIncreaseQuotaPrivilege	848	svchost.exe
Token: SeSecurityPrivilege	848	svchost.exe
Token: SeTakeOwnershipPrivilege	848	svchost.exe
Token: SeLoadDriverPrivilege	848	svchost.exe
Token: SeSystemtimePrivilege	848	svchost.exe
Token: SeBackupPrivilege	848	svchost.exe
Token: SeRestorePrivilege	848	svchost.exe
Token: SeShutdownPrivilege	848	svchost.exe
Token: SeSystemEnvironmentPrivilege	848	svchost.exe
Token: SeUndockPrivilege	848	svchost.exe
Token: SeManageVolumePrivilege	848	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	848	svchost.exe
Token: SeIncreaseQuotaPrivilege	848	svchost.exe
Token: SeSecurityPrivilege	848	svchost.exe
Token: SeTakeOwnershipPrivilege	848	svchost.exe
Token: SeLoadDriverPrivilege	848	svchost.exe
Token: SeSystemtimePrivilege	848	svchost.exe
Token: SeBackupPrivilege	848	svchost.exe
Token: SeRestorePrivilege	848	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1716	weave.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 2804	1716	weave.exe	30
PID 1716 wrote to memory of 2804	1716	weave.exe	30
PID 1716 wrote to memory of 2804	1716	weave.exe	30
PID 1716 wrote to memory of 2804	1716	weave.exe	30
PID 1716 wrote to memory of 3044	1716	weave.exe	32
PID 1716 wrote to memory of 3044	1716	weave.exe	32
PID 1716 wrote to memory of 3044	1716	weave.exe	32
PID 1716 wrote to memory of 3044	1716	weave.exe	32
PID 2804 wrote to memory of 2184	2804	cli_gui.exe	33
PID 2804 wrote to memory of 2184	2804	cli_gui.exe	33
PID 2804 wrote to memory of 2184	2804	cli_gui.exe	33
PID 2184 wrote to memory of 2876	2184	cmd.exe	34
PID 2184 wrote to memory of 2876	2184	cmd.exe	34
PID 2184 wrote to memory of 2876	2184	cmd.exe	34
PID 2804 wrote to memory of 2840	2804	cli_gui.exe	35
PID 2804 wrote to memory of 2840	2804	cli_gui.exe	35
PID 2804 wrote to memory of 2840	2804	cli_gui.exe	35
PID 1912 wrote to memory of 2916	1912	cmd.exe	40
PID 1912 wrote to memory of 2916	1912	cmd.exe	40
PID 1912 wrote to memory of 2916	1912	cmd.exe	40
PID 1912 wrote to memory of 1856	1912	cmd.exe	41
PID 1912 wrote to memory of 1856	1912	cmd.exe	41
PID 1912 wrote to memory of 1856	1912	cmd.exe	41
PID 1912 wrote to memory of 1572	1912	cmd.exe	42
PID 1912 wrote to memory of 1572	1912	cmd.exe	42
PID 1912 wrote to memory of 1572	1912	cmd.exe	42
PID 1912 wrote to memory of 1488	1912	cmd.exe	43
PID 1912 wrote to memory of 1488	1912	cmd.exe	43
PID 1912 wrote to memory of 1488	1912	cmd.exe	43
PID 1912 wrote to memory of 2264	1912	cmd.exe	44
PID 1912 wrote to memory of 2264	1912	cmd.exe	44
PID 1912 wrote to memory of 2264	1912	cmd.exe	44
PID 3044 wrote to memory of 2500	3044	updater.exe	47
PID 2272 wrote to memory of 2084	2272	cmd.exe	50
PID 2272 wrote to memory of 2084	2272	cmd.exe	50
PID 2272 wrote to memory of 2084	2272	cmd.exe	50
PID 2500 wrote to memory of 424	2500	dialer.exe	5
PID 2500 wrote to memory of 480	2500	dialer.exe	6
PID 2500 wrote to memory of 488	2500	dialer.exe	7
PID 2500 wrote to memory of 496	2500	dialer.exe	8
PID 2500 wrote to memory of 600	2500	dialer.exe	9
PID 2500 wrote to memory of 676	2500	dialer.exe	10
PID 2500 wrote to memory of 760	2500	dialer.exe	11
PID 2500 wrote to memory of 808	2500	dialer.exe	12
PID 2500 wrote to memory of 848	2500	dialer.exe	13
PID 2500 wrote to memory of 960	2500	dialer.exe	15
PID 2500 wrote to memory of 112	2500	dialer.exe	16
PID 2272 wrote to memory of 2136	2272	cmd.exe	51
PID 2272 wrote to memory of 2136	2272	cmd.exe	51
PID 2272 wrote to memory of 2136	2272	cmd.exe	51
PID 2500 wrote to memory of 908	2500	dialer.exe	17
PID 2500 wrote to memory of 268	2500	dialer.exe	18
PID 2500 wrote to memory of 1140	2500	dialer.exe	19
PID 2500 wrote to memory of 1268	2500	dialer.exe	20
PID 2500 wrote to memory of 1360	2500	dialer.exe	21
PID 2500 wrote to memory of 2036	2500	dialer.exe	23
PID 2500 wrote to memory of 1436	2500	dialer.exe	24
PID 2500 wrote to memory of 2556	2500	dialer.exe	26
PID 2500 wrote to memory of 2584	2500	dialer.exe	27
PID 2500 wrote to memory of 2804	2500	dialer.exe	30
PID 2500 wrote to memory of 2904	2500	dialer.exe	31
PID 2500 wrote to memory of 3044	2500	dialer.exe	32
PID 2500 wrote to memory of 2272	2500	dialer.exe	45
PID 2500 wrote to memory of 2116	2500	dialer.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:480
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:600
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:2036
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    - Checks processor information in registry
    PID:660
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -Embedding
    3⤵
    PID:1788
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:676
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Modifies security service
  - Indicator Removal: Clear Windows Event Logs
  PID:760
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:808
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1268
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:848
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {86CA94B0-A318-4AAD-9A4E-604FC7822AF5} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    - Loads dropped DLL
    PID:1444
  - - C:\Program Files\Microsoft\Edge\updater.exe
      "C:\Program Files\Microsoft\Edge\updater.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      PID:884
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:960
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:112
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:908
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:268
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1140
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:1436
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2556
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2584

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:488

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:496

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1360
- C:\Users\Admin\AppData\Local\Temp\weave.exe
  "C:\Users\Admin\AppData\Local\Temp\weave.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Users\Admin\AppData\Local\Temp\cli_gui.exe
    "C:\Users\Admin\AppData\Local\Temp\cli_gui.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\windows\system32'" > NUL 2>&1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath 'C:\windows\system32'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2840
- - C:\Windows\system32\updater.exe
    "C:\Windows\system32\updater.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2916
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1856
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1572
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1488
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2264
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2084
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2136
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2216
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3000
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lfvbfbo#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MicrosoftEdge' /tr '''C:\Program Files\Microsoft\Edge\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Microsoft\Edge\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MicrosoftEdge' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2484
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn MicrosoftEdge /tr "'C:\Program Files\Microsoft\Edge\updater.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1952
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "MicrosoftEdge"
  2⤵
  PID:2996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:608
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:2140
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2336
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2984
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2188
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2356
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1948
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:2004
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:628
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1688
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2344
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2404
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lfvbfbo#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MicrosoftEdge' /tr '''C:\Program Files\Microsoft\Edge\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Microsoft\Edge\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MicrosoftEdge' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn MicrosoftEdge /tr "'C:\Program Files\Microsoft\Edge\updater.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:824
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:1176
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1380

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-743956530506403107-819442062-740216718-1289033790592825782-20985488252825245"
1⤵
- Loads dropped DLL
PID:2904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1142502481378323210-991980120-2056594498-4986613365445904663295488911169224046"
1⤵
PID:2116

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "359905632113573363019210769058569778892068114362-1201310452175789054880889790"
1⤵
PID:436

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1251782746-717108039-477871531398668089-1092486916-667137885-1691740102072276938"
1⤵
PID:552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1083449861-2108413420-1355087049157415711-252882950151193202-1823592165544936012"
1⤵
PID:2028

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9168119241249602565-1389047746-1594876355-2087640205345477491-19206243851190049973"
1⤵
PID:2132

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1489051477-1800397954-2095900297110727475833568347129777717510402724772105428914"
1⤵
PID:1500

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1299307100-2634851289295178-27279761312905484681312486948736264037691820880"
1⤵
PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

System Information Discovery