xred | 53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56ef

Virtualization/Sandbox Evasion

T1497

Processes:

._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	spoolsv.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

svchost.exespoolsv.exe._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exeicsys.icn.exespoolsv.exeexplorer.exe._cache_Synaptics.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exeSynaptics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 9 IoCs

Processes:

._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exeSynaptics.exe._cache_Synaptics.exe._cache_synaptics.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe

pid	process
4836	._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe
3560	Synaptics.exe
800	._cache_Synaptics.exe
4040	._cache_synaptics.exe
1236	icsys.icn.exe
4004	explorer.exe
2252	spoolsv.exe
3032	svchost.exe
3552	spoolsv.exe

Themida packer 23 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe	themida
behavioral2/memory/4836-70-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/4836-131-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/800-192-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
C:\Windows\Resources\Themes\icsys.icn.exe	themida
behavioral2/memory/1236-212-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
C:\Windows\Resources\Themes\explorer.exe	themida
behavioral2/memory/4004-221-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/2252-231-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
C:\Windows\Resources\spoolsv.exe	themida
C:\Windows\Resources\svchost.exe	themida
behavioral2/memory/3032-240-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/3552-242-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/3552-253-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/2252-255-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/800-259-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/1236-257-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/4836-260-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/4004-269-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/3032-274-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/4004-296-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/3032-297-0x0000000000400000-0x0000000000A16000-memory.dmp	themida
behavioral2/memory/4004-305-0x0000000000400000-0x0000000000A16000-memory.dmp	themida

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exeexplorer.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Checks whether UAC is enabled 1 TTPs 7 IoCs

evasion trojan

System Information Discovery

Processes:

._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exe._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	icsys.icn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorer.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	svchost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe

Drops file in System32 directory 1 IoCs

Processes:

explorer.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exespoolsv.exe

pid	process
4836	._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe
800	._cache_Synaptics.exe
1236	icsys.icn.exe
4004	explorer.exe
2252	spoolsv.exe
3552	spoolsv.exe

Drops file in Windows directory 5 IoCs

Processes:

._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe._cache_Synaptics.exeicsys.icn.exesvchost.exeSynaptics.exeexplorer.exespoolsv.exespoolsv.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

Processes:

Synaptics.exe53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1852 EXCEL.EXE

pid	process
1852	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

._cache_Synaptics.exeicsys.icn.exe

pid	process
800	._cache_Synaptics.exe
800	._cache_Synaptics.exe
800	._cache_Synaptics.exe
800	._cache_Synaptics.exe
800	._cache_Synaptics.exe
800	._cache_Synaptics.exe
800	._cache_Synaptics.exe
800	._cache_Synaptics.exe
800	._cache_Synaptics.exe
800	._cache_Synaptics.exe
800	._cache_Synaptics.exe
800	._cache_Synaptics.exe
800	._cache_Synaptics.exe
800	._cache_Synaptics.exe
800	._cache_Synaptics.exe
800	._cache_Synaptics.exe
800	._cache_Synaptics.exe
800	._cache_Synaptics.exe
800	._cache_Synaptics.exe
800	._cache_Synaptics.exe
800	._cache_Synaptics.exe
800	._cache_Synaptics.exe
800	._cache_Synaptics.exe
800	._cache_Synaptics.exe
800	._cache_Synaptics.exe
800	._cache_Synaptics.exe
800	._cache_Synaptics.exe
800	._cache_Synaptics.exe
800	._cache_Synaptics.exe
800	._cache_Synaptics.exe
800	._cache_Synaptics.exe
800	._cache_Synaptics.exe
1236	icsys.icn.exe
1236	icsys.icn.exe
1236	icsys.icn.exe
1236	icsys.icn.exe
1236	icsys.icn.exe
1236	icsys.icn.exe
1236	icsys.icn.exe
1236	icsys.icn.exe
1236	icsys.icn.exe
1236	icsys.icn.exe
1236	icsys.icn.exe
1236	icsys.icn.exe
1236	icsys.icn.exe
1236	icsys.icn.exe
1236	icsys.icn.exe
1236	icsys.icn.exe
1236	icsys.icn.exe
1236	icsys.icn.exe
1236	icsys.icn.exe
1236	icsys.icn.exe
1236	icsys.icn.exe
1236	icsys.icn.exe
1236	icsys.icn.exe
1236	icsys.icn.exe
1236	icsys.icn.exe
1236	icsys.icn.exe
1236	icsys.icn.exe
1236	icsys.icn.exe
1236	icsys.icn.exe
1236	icsys.icn.exe
1236	icsys.icn.exe
1236	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

4004 explorer.exe

pid	process
4004	explorer.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

._cache_Synaptics.exeEXCEL.EXEicsys.icn.exeexplorer.exespoolsv.exespoolsv.exe

pid	process
800	._cache_Synaptics.exe
800	._cache_Synaptics.exe
1852	EXCEL.EXE
1852	EXCEL.EXE
1236	icsys.icn.exe
1236	icsys.icn.exe
4004	explorer.exe
4004	explorer.exe
1852	EXCEL.EXE
1852	EXCEL.EXE
2252	spoolsv.exe
2252	spoolsv.exe
3552	spoolsv.exe
3552	spoolsv.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exeSynaptics.exe._cache_Synaptics.exeicsys.icn.exeexplorer.exespoolsv.exe

description	pid	process	target process
PID 392 wrote to memory of 4836	392	53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe	._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe
PID 392 wrote to memory of 4836	392	53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe	._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe
PID 392 wrote to memory of 4836	392	53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe	._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe
PID 392 wrote to memory of 3560	392	53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe	Synaptics.exe
PID 392 wrote to memory of 3560	392	53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe	Synaptics.exe
PID 392 wrote to memory of 3560	392	53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe	Synaptics.exe
PID 3560 wrote to memory of 800	3560	Synaptics.exe	._cache_Synaptics.exe
PID 3560 wrote to memory of 800	3560	Synaptics.exe	._cache_Synaptics.exe
PID 3560 wrote to memory of 800	3560	Synaptics.exe	._cache_Synaptics.exe
PID 800 wrote to memory of 4040	800	._cache_Synaptics.exe	._cache_synaptics.exe
PID 800 wrote to memory of 4040	800	._cache_Synaptics.exe	._cache_synaptics.exe
PID 800 wrote to memory of 1236	800	._cache_Synaptics.exe	icsys.icn.exe
PID 800 wrote to memory of 1236	800	._cache_Synaptics.exe	icsys.icn.exe
PID 800 wrote to memory of 1236	800	._cache_Synaptics.exe	icsys.icn.exe
PID 1236 wrote to memory of 4004	1236	icsys.icn.exe	explorer.exe
PID 1236 wrote to memory of 4004	1236	icsys.icn.exe	explorer.exe
PID 1236 wrote to memory of 4004	1236	icsys.icn.exe	explorer.exe
PID 4004 wrote to memory of 2252	4004	explorer.exe	spoolsv.exe
PID 4004 wrote to memory of 2252	4004	explorer.exe	spoolsv.exe
PID 4004 wrote to memory of 2252	4004	explorer.exe	spoolsv.exe
PID 2252 wrote to memory of 3032	2252	spoolsv.exe	svchost.exe
PID 2252 wrote to memory of 3032	2252	spoolsv.exe	svchost.exe
PID 2252 wrote to memory of 3032	2252	spoolsv.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe
"C:\Users\Admin\AppData\Local\Temp\53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:392
- C:\Users\Admin\AppData\Local\Temp\._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_53df6a79faea31e45338431200efa0bd3dec556eeea4b887d67bfa4e9eff56efN.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:4836
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3560
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:800
  - - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
      c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
      4⤵
      Executes dropped EXE
      PID:4040
  - - C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1236
    - - \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4004
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        7⤵
        Modifies visiblity of hidden/system files in Explorer
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        8⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3552

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

Modify Registry

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

5

System Information Discovery

6

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion