formbook | 71381247497fba4f3392ddd62fe162201e0085a9afe1b3b9d62e7c15281d86e2

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	PIsept2020.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	PIsept2020.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	PIsept2020.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	PIsept2020.exe

Deletes itself 1 IoCs

pid	Process
1332	cmd.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	PIsept2020.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	PIsept2020.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PIsept2020.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	PIsept2020.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2444 set thread context of 2404	2444	PIsept2020.exe	34
PID 2404 set thread context of 1232	2404	PIsept2020.exe	21
PID 2868 set thread context of 1232	2868	ipconfig.exe	21

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PIsept2020.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

Command and Scripting Interpreter

T1059

pid	Process
2868	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2880	powershell.exe
2404	PIsept2020.exe
2404	PIsept2020.exe
2868	ipconfig.exe
2868	ipconfig.exe
2868	ipconfig.exe
2868	ipconfig.exe
2868	ipconfig.exe
2868	ipconfig.exe
2868	ipconfig.exe
2868	ipconfig.exe
2868	ipconfig.exe
2868	ipconfig.exe
2868	ipconfig.exe
2868	ipconfig.exe
2868	ipconfig.exe
2868	ipconfig.exe
2868	ipconfig.exe
2868	ipconfig.exe
2868	ipconfig.exe
2868	ipconfig.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2404	PIsept2020.exe
2404	PIsept2020.exe
2404	PIsept2020.exe
2868	ipconfig.exe
2868	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2404	PIsept2020.exe
Token: SeDebugPrivilege	2868	ipconfig.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 2880	2444	PIsept2020.exe	31
PID 2444 wrote to memory of 2880	2444	PIsept2020.exe	31
PID 2444 wrote to memory of 2880	2444	PIsept2020.exe	31
PID 2444 wrote to memory of 2880	2444	PIsept2020.exe	31
PID 2444 wrote to memory of 2404	2444	PIsept2020.exe	34
PID 2444 wrote to memory of 2404	2444	PIsept2020.exe	34
PID 2444 wrote to memory of 2404	2444	PIsept2020.exe	34
PID 2444 wrote to memory of 2404	2444	PIsept2020.exe	34
PID 2444 wrote to memory of 2404	2444	PIsept2020.exe	34
PID 2444 wrote to memory of 2404	2444	PIsept2020.exe	34
PID 2444 wrote to memory of 2404	2444	PIsept2020.exe	34
PID 1232 wrote to memory of 2868	1232	Explorer.EXE	35
PID 1232 wrote to memory of 2868	1232	Explorer.EXE	35
PID 1232 wrote to memory of 2868	1232	Explorer.EXE	35
PID 1232 wrote to memory of 2868	1232	Explorer.EXE	35
PID 2868 wrote to memory of 1332	2868	ipconfig.exe	36
PID 2868 wrote to memory of 1332	2868	ipconfig.exe	36
PID 2868 wrote to memory of 1332	2868	ipconfig.exe	36
PID 2868 wrote to memory of 1332	2868	ipconfig.exe	36

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Users\Admin\AppData\Local\Temp\PIsept2020.exe
  "C:\Users\Admin\AppData\Local\Temp\PIsept2020.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Windows security modification
  - Maps connected drives based on registry
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2880
- - C:\Users\Admin\AppData\Local\Temp\PIsept2020.exe
    "C:\Users\Admin\AppData\Local\Temp\PIsept2020.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2404
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\SysWOW64\ipconfig.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Gathers network information
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\PIsept2020.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Virtualization/Sandbox Evasion

2

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

2