agenttesla | 726653ca6a7c8ba9be0c2a8be957b464bd108580e9e6135cce2b11b124180e94

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	AsuUQa4j6S2HpNn.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	BLClOKQwCpC7NEW.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2492	powershell.exe
4312	powershell.exe
1272	powershell.exe
2436	powershell.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AsuUQa4j6S2HpNn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AsuUQa4j6S2HpNn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	BLClOKQwCpC7NEW.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	BLClOKQwCpC7NEW.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	BLClOKQwCpC7NEW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	726653ca6a7c8ba9be0c2a8be957b464bd108580e9e6135cce2b11b124180e94.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	AsuUQa4j6S2HpNn.exe

Executes dropped EXE 9 IoCs

pid	Process
2284	BLClOKQwCpC7NEW.exe
4220	AsuUQa4j6S2HpNn.exe
2388	AsuUQa4j6S2HpNn.exe
3944	AsuUQa4j6S2HpNn.exe
2768	AsuUQa4j6S2HpNn.exe
4028	BLClOKQwCpC7NEW.exe
1224	BLClOKQwCpC7NEW.exe
4912	BLClOKQwCpC7NEW.exe
3188	BLClOKQwCpC7NEW.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 29 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/2768-53-0x0000000000400000-0x0000000000A0A000-memory.dmp	themida
behavioral2/memory/2768-70-0x0000000000400000-0x0000000000A0A000-memory.dmp	themida
behavioral2/memory/2768-79-0x0000000000400000-0x0000000000A0A000-memory.dmp	themida
behavioral2/memory/2768-80-0x0000000000400000-0x0000000000A0A000-memory.dmp	themida
behavioral2/memory/2768-82-0x0000000000400000-0x0000000000A0A000-memory.dmp	themida
behavioral2/memory/2768-86-0x0000000000400000-0x0000000000A0A000-memory.dmp	themida
behavioral2/memory/2768-78-0x0000000000400000-0x0000000000A0A000-memory.dmp	themida
behavioral2/memory/2768-77-0x0000000000400000-0x0000000000A0A000-memory.dmp	themida
behavioral2/memory/2768-75-0x0000000000400000-0x0000000000A0A000-memory.dmp	themida
behavioral2/memory/2768-73-0x0000000000400000-0x0000000000A0A000-memory.dmp	themida
behavioral2/memory/2768-74-0x0000000000400000-0x0000000000A0A000-memory.dmp	themida
behavioral2/memory/2768-72-0x0000000000400000-0x0000000000A0A000-memory.dmp	themida
behavioral2/memory/2768-71-0x0000000000400000-0x0000000000A0A000-memory.dmp	themida
behavioral2/memory/2768-81-0x0000000000400000-0x0000000000A0A000-memory.dmp	themida
behavioral2/memory/2768-76-0x0000000000400000-0x0000000000A0A000-memory.dmp	themida
behavioral2/memory/3188-158-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral2/memory/3188-156-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral2/memory/3188-161-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral2/memory/3188-169-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral2/memory/3188-170-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral2/memory/3188-172-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral2/memory/3188-167-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral2/memory/3188-168-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral2/memory/3188-166-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral2/memory/3188-164-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral2/memory/3188-162-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral2/memory/3188-165-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral2/memory/3188-163-0x0000000000400000-0x0000000000A20000-memory.dmp	themida
behavioral2/memory/3188-160-0x0000000000400000-0x0000000000A20000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AsuUQa4j6S2HpNn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	BLClOKQwCpC7NEW.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
45	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2768	AsuUQa4j6S2HpNn.exe
3188	BLClOKQwCpC7NEW.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4220 set thread context of 2768	4220	AsuUQa4j6S2HpNn.exe	111
PID 2284 set thread context of 3188	2284	BLClOKQwCpC7NEW.exe	123

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsuUQa4j6S2HpNn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BLClOKQwCpC7NEW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsuUQa4j6S2HpNn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BLClOKQwCpC7NEW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5036	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3188	schtasks.exe
2188	schtasks.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
2768	726653ca6a7c8ba9be0c2a8be957b464bd108580e9e6135cce2b11b124180e94.exe
4220	AsuUQa4j6S2HpNn.exe
4220	AsuUQa4j6S2HpNn.exe
2284	BLClOKQwCpC7NEW.exe
2284	BLClOKQwCpC7NEW.exe
4220	AsuUQa4j6S2HpNn.exe
2284	BLClOKQwCpC7NEW.exe
4220	AsuUQa4j6S2HpNn.exe
2284	BLClOKQwCpC7NEW.exe
4220	AsuUQa4j6S2HpNn.exe
2284	BLClOKQwCpC7NEW.exe
4220	AsuUQa4j6S2HpNn.exe
2284	BLClOKQwCpC7NEW.exe
2436	powershell.exe
2436	powershell.exe
1272	powershell.exe
1272	powershell.exe
4220	AsuUQa4j6S2HpNn.exe
4220	AsuUQa4j6S2HpNn.exe
4220	AsuUQa4j6S2HpNn.exe
4220	AsuUQa4j6S2HpNn.exe
4220	AsuUQa4j6S2HpNn.exe
4220	AsuUQa4j6S2HpNn.exe
2768	AsuUQa4j6S2HpNn.exe
2768	AsuUQa4j6S2HpNn.exe
1272	powershell.exe
2284	BLClOKQwCpC7NEW.exe
2284	BLClOKQwCpC7NEW.exe
2436	powershell.exe
2284	BLClOKQwCpC7NEW.exe
2492	powershell.exe
2492	powershell.exe
4312	powershell.exe
4312	powershell.exe
2284	BLClOKQwCpC7NEW.exe
2284	BLClOKQwCpC7NEW.exe
2284	BLClOKQwCpC7NEW.exe
2284	BLClOKQwCpC7NEW.exe
2284	BLClOKQwCpC7NEW.exe
2284	BLClOKQwCpC7NEW.exe
2284	BLClOKQwCpC7NEW.exe
4312	powershell.exe
2284	BLClOKQwCpC7NEW.exe
2492	powershell.exe
3188	BLClOKQwCpC7NEW.exe
3188	BLClOKQwCpC7NEW.exe
3188	BLClOKQwCpC7NEW.exe
3188	BLClOKQwCpC7NEW.exe
3188	BLClOKQwCpC7NEW.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	726653ca6a7c8ba9be0c2a8be957b464bd108580e9e6135cce2b11b124180e94.exe
Token: SeIncreaseQuotaPrivilege	208	WMIC.exe
Token: SeSecurityPrivilege	208	WMIC.exe
Token: SeTakeOwnershipPrivilege	208	WMIC.exe
Token: SeLoadDriverPrivilege	208	WMIC.exe
Token: SeSystemProfilePrivilege	208	WMIC.exe
Token: SeSystemtimePrivilege	208	WMIC.exe
Token: SeProfSingleProcessPrivilege	208	WMIC.exe
Token: SeIncBasePriorityPrivilege	208	WMIC.exe
Token: SeCreatePagefilePrivilege	208	WMIC.exe
Token: SeBackupPrivilege	208	WMIC.exe
Token: SeRestorePrivilege	208	WMIC.exe
Token: SeShutdownPrivilege	208	WMIC.exe
Token: SeDebugPrivilege	208	WMIC.exe
Token: SeSystemEnvironmentPrivilege	208	WMIC.exe
Token: SeRemoteShutdownPrivilege	208	WMIC.exe
Token: SeUndockPrivilege	208	WMIC.exe
Token: SeManageVolumePrivilege	208	WMIC.exe
Token: 33	208	WMIC.exe
Token: 34	208	WMIC.exe
Token: 35	208	WMIC.exe
Token: 36	208	WMIC.exe
Token: SeIncreaseQuotaPrivilege	208	WMIC.exe
Token: SeSecurityPrivilege	208	WMIC.exe
Token: SeTakeOwnershipPrivilege	208	WMIC.exe
Token: SeLoadDriverPrivilege	208	WMIC.exe
Token: SeSystemProfilePrivilege	208	WMIC.exe
Token: SeSystemtimePrivilege	208	WMIC.exe
Token: SeProfSingleProcessPrivilege	208	WMIC.exe
Token: SeIncBasePriorityPrivilege	208	WMIC.exe
Token: SeCreatePagefilePrivilege	208	WMIC.exe
Token: SeBackupPrivilege	208	WMIC.exe
Token: SeRestorePrivilege	208	WMIC.exe
Token: SeShutdownPrivilege	208	WMIC.exe
Token: SeDebugPrivilege	208	WMIC.exe
Token: SeSystemEnvironmentPrivilege	208	WMIC.exe
Token: SeRemoteShutdownPrivilege	208	WMIC.exe
Token: SeUndockPrivilege	208	WMIC.exe
Token: SeManageVolumePrivilege	208	WMIC.exe
Token: 33	208	WMIC.exe
Token: 34	208	WMIC.exe
Token: 35	208	WMIC.exe
Token: 36	208	WMIC.exe
Token: SeDebugPrivilege	2284	BLClOKQwCpC7NEW.exe
Token: SeDebugPrivilege	4220	AsuUQa4j6S2HpNn.exe
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	2768	AsuUQa4j6S2HpNn.exe
Token: SeDebugPrivilege	4312	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	3188	BLClOKQwCpC7NEW.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3188	BLClOKQwCpC7NEW.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 4072	2768	726653ca6a7c8ba9be0c2a8be957b464bd108580e9e6135cce2b11b124180e94.exe	84
PID 2768 wrote to memory of 4072	2768	726653ca6a7c8ba9be0c2a8be957b464bd108580e9e6135cce2b11b124180e94.exe	84
PID 4072 wrote to memory of 208	4072	cmd.exe	86
PID 4072 wrote to memory of 208	4072	cmd.exe	86
PID 2768 wrote to memory of 2284	2768	726653ca6a7c8ba9be0c2a8be957b464bd108580e9e6135cce2b11b124180e94.exe	89
PID 2768 wrote to memory of 2284	2768	726653ca6a7c8ba9be0c2a8be957b464bd108580e9e6135cce2b11b124180e94.exe	89
PID 2768 wrote to memory of 2284	2768	726653ca6a7c8ba9be0c2a8be957b464bd108580e9e6135cce2b11b124180e94.exe	89
PID 2768 wrote to memory of 4220	2768	726653ca6a7c8ba9be0c2a8be957b464bd108580e9e6135cce2b11b124180e94.exe	90
PID 2768 wrote to memory of 4220	2768	726653ca6a7c8ba9be0c2a8be957b464bd108580e9e6135cce2b11b124180e94.exe	90
PID 2768 wrote to memory of 4220	2768	726653ca6a7c8ba9be0c2a8be957b464bd108580e9e6135cce2b11b124180e94.exe	90
PID 2768 wrote to memory of 1976	2768	726653ca6a7c8ba9be0c2a8be957b464bd108580e9e6135cce2b11b124180e94.exe	91
PID 2768 wrote to memory of 1976	2768	726653ca6a7c8ba9be0c2a8be957b464bd108580e9e6135cce2b11b124180e94.exe	91
PID 1976 wrote to memory of 5036	1976	cmd.exe	93
PID 1976 wrote to memory of 5036	1976	cmd.exe	93
PID 4220 wrote to memory of 1272	4220	AsuUQa4j6S2HpNn.exe	103
PID 4220 wrote to memory of 1272	4220	AsuUQa4j6S2HpNn.exe	103
PID 4220 wrote to memory of 1272	4220	AsuUQa4j6S2HpNn.exe	103
PID 4220 wrote to memory of 2436	4220	AsuUQa4j6S2HpNn.exe	105
PID 4220 wrote to memory of 2436	4220	AsuUQa4j6S2HpNn.exe	105
PID 4220 wrote to memory of 2436	4220	AsuUQa4j6S2HpNn.exe	105
PID 4220 wrote to memory of 3188	4220	AsuUQa4j6S2HpNn.exe	123
PID 4220 wrote to memory of 3188	4220	AsuUQa4j6S2HpNn.exe	123
PID 4220 wrote to memory of 3188	4220	AsuUQa4j6S2HpNn.exe	123
PID 4220 wrote to memory of 2388	4220	AsuUQa4j6S2HpNn.exe	109
PID 4220 wrote to memory of 2388	4220	AsuUQa4j6S2HpNn.exe	109
PID 4220 wrote to memory of 2388	4220	AsuUQa4j6S2HpNn.exe	109
PID 4220 wrote to memory of 3944	4220	AsuUQa4j6S2HpNn.exe	110
PID 4220 wrote to memory of 3944	4220	AsuUQa4j6S2HpNn.exe	110
PID 4220 wrote to memory of 3944	4220	AsuUQa4j6S2HpNn.exe	110
PID 4220 wrote to memory of 2768	4220	AsuUQa4j6S2HpNn.exe	111
PID 4220 wrote to memory of 2768	4220	AsuUQa4j6S2HpNn.exe	111
PID 4220 wrote to memory of 2768	4220	AsuUQa4j6S2HpNn.exe	111
PID 4220 wrote to memory of 2768	4220	AsuUQa4j6S2HpNn.exe	111
PID 4220 wrote to memory of 2768	4220	AsuUQa4j6S2HpNn.exe	111
PID 4220 wrote to memory of 2768	4220	AsuUQa4j6S2HpNn.exe	111
PID 4220 wrote to memory of 2768	4220	AsuUQa4j6S2HpNn.exe	111
PID 4220 wrote to memory of 2768	4220	AsuUQa4j6S2HpNn.exe	111
PID 4220 wrote to memory of 2768	4220	AsuUQa4j6S2HpNn.exe	111
PID 4220 wrote to memory of 2768	4220	AsuUQa4j6S2HpNn.exe	111
PID 4220 wrote to memory of 2768	4220	AsuUQa4j6S2HpNn.exe	111
PID 4220 wrote to memory of 2768	4220	AsuUQa4j6S2HpNn.exe	111
PID 2284 wrote to memory of 4312	2284	BLClOKQwCpC7NEW.exe	114
PID 2284 wrote to memory of 4312	2284	BLClOKQwCpC7NEW.exe	114
PID 2284 wrote to memory of 4312	2284	BLClOKQwCpC7NEW.exe	114
PID 2284 wrote to memory of 2492	2284	BLClOKQwCpC7NEW.exe	116
PID 2284 wrote to memory of 2492	2284	BLClOKQwCpC7NEW.exe	116
PID 2284 wrote to memory of 2492	2284	BLClOKQwCpC7NEW.exe	116
PID 2284 wrote to memory of 2188	2284	BLClOKQwCpC7NEW.exe	118
PID 2284 wrote to memory of 2188	2284	BLClOKQwCpC7NEW.exe	118
PID 2284 wrote to memory of 2188	2284	BLClOKQwCpC7NEW.exe	118
PID 2284 wrote to memory of 4028	2284	BLClOKQwCpC7NEW.exe	120
PID 2284 wrote to memory of 4028	2284	BLClOKQwCpC7NEW.exe	120
PID 2284 wrote to memory of 4028	2284	BLClOKQwCpC7NEW.exe	120
PID 2284 wrote to memory of 1224	2284	BLClOKQwCpC7NEW.exe	121
PID 2284 wrote to memory of 1224	2284	BLClOKQwCpC7NEW.exe	121
PID 2284 wrote to memory of 1224	2284	BLClOKQwCpC7NEW.exe	121
PID 2284 wrote to memory of 4912	2284	BLClOKQwCpC7NEW.exe	122
PID 2284 wrote to memory of 4912	2284	BLClOKQwCpC7NEW.exe	122
PID 2284 wrote to memory of 4912	2284	BLClOKQwCpC7NEW.exe	122
PID 2284 wrote to memory of 3188	2284	BLClOKQwCpC7NEW.exe	123
PID 2284 wrote to memory of 3188	2284	BLClOKQwCpC7NEW.exe	123
PID 2284 wrote to memory of 3188	2284	BLClOKQwCpC7NEW.exe	123
PID 2284 wrote to memory of 3188	2284	BLClOKQwCpC7NEW.exe	123
PID 2284 wrote to memory of 3188	2284	BLClOKQwCpC7NEW.exe	123

C:\Users\Admin\AppData\Local\Temp\726653ca6a7c8ba9be0c2a8be957b464bd108580e9e6135cce2b11b124180e94.exe
"C:\Users\Admin\AppData\Local\Temp\726653ca6a7c8ba9be0c2a8be957b464bd108580e9e6135cce2b11b124180e94.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /C wmic path win32_ComputerSystem get model
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_ComputerSystem get model
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:208
- C:\Users\Admin\AppData\Local\Temp\PEQUwNvwEW\BLClOKQwCpC7NEW.exe
  "C:\Users\Admin\AppData\Local\Temp\PEQUwNvwEW\BLClOKQwCpC7NEW.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PEQUwNvwEW\BLClOKQwCpC7NEW.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4312
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sgBDFAKb.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2492
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sgBDFAKb" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE7B0.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2188
- - C:\Users\Admin\AppData\Local\Temp\PEQUwNvwEW\BLClOKQwCpC7NEW.exe
    "C:\Users\Admin\AppData\Local\Temp\PEQUwNvwEW\BLClOKQwCpC7NEW.exe"
    3⤵
    - Executes dropped EXE
    PID:4028
- - C:\Users\Admin\AppData\Local\Temp\PEQUwNvwEW\BLClOKQwCpC7NEW.exe
    "C:\Users\Admin\AppData\Local\Temp\PEQUwNvwEW\BLClOKQwCpC7NEW.exe"
    3⤵
    - Executes dropped EXE
    PID:1224
- - C:\Users\Admin\AppData\Local\Temp\PEQUwNvwEW\BLClOKQwCpC7NEW.exe
    "C:\Users\Admin\AppData\Local\Temp\PEQUwNvwEW\BLClOKQwCpC7NEW.exe"
    3⤵
    - Executes dropped EXE
    PID:4912
- - C:\Users\Admin\AppData\Local\Temp\PEQUwNvwEW\BLClOKQwCpC7NEW.exe
    "C:\Users\Admin\AppData\Local\Temp\PEQUwNvwEW\BLClOKQwCpC7NEW.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3188
- C:\Users\Admin\AppData\Local\Temp\cHUnEQyHoEpn\AsuUQa4j6S2HpNn.exe
  "C:\Users\Admin\AppData\Local\Temp\cHUnEQyHoEpn\AsuUQa4j6S2HpNn.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4220
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\cHUnEQyHoEpn\AsuUQa4j6S2HpNn.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1272
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XyJQWVqVwSU.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2436
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XyJQWVqVwSU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD448.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3188
- - C:\Users\Admin\AppData\Local\Temp\cHUnEQyHoEpn\AsuUQa4j6S2HpNn.exe
    "C:\Users\Admin\AppData\Local\Temp\cHUnEQyHoEpn\AsuUQa4j6S2HpNn.exe"
    3⤵
    - Executes dropped EXE
    PID:2388
- - C:\Users\Admin\AppData\Local\Temp\cHUnEQyHoEpn\AsuUQa4j6S2HpNn.exe
    "C:\Users\Admin\AppData\Local\Temp\cHUnEQyHoEpn\AsuUQa4j6S2HpNn.exe"
    3⤵
    - Executes dropped EXE
    PID:3944
- - C:\Users\Admin\AppData\Local\Temp\cHUnEQyHoEpn\AsuUQa4j6S2HpNn.exe
    "C:\Users\Admin\AppData\Local\Temp\cHUnEQyHoEpn\AsuUQa4j6S2HpNn.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C TIMEOUT /T 3 && DEL /f "C:\Users\Admin\AppData\Local\Temp\726653ca6a7c8ba9be0c2a8be957b464bd108580e9e6135cce2b11b124180e94.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\system32\timeout.exe
    TIMEOUT /T 3
    3⤵
    - Delays execution with timeout.exe
    PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

System Information Discovery