azorult | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Bjkm5hE.exe

Downloads MZ/PE file 4 IoCs

flow	pid	Process
13	1836	New Text Document mod.exe
19	1836	New Text Document mod.exe
25	1836	New Text Document mod.exe
25	1836	New Text Document mod.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Bjkm5hE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Bjkm5hE.exe

Executes dropped EXE 7 IoCs

pid	Process
3064	extension_dropper.exe
3060	dlaos.exe
2920	random.exe
2952	Bjkm5hE.exe
852	Macromedia.com
3064	cHSzTDjVl.exe
2324	wind.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

Virtualization/Sandbox Evasion

defense_evasion spyware trojan

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	Bjkm5hE.exe

Loads dropped DLL 2 IoCs

pid	Process
2920	random.exe
1616	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
14	bitbucket.org
15	bitbucket.org
24	raw.githubusercontent.com
25	raw.githubusercontent.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2380	tasklist.exe
1792	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2952	Bjkm5hE.exe

Drops file in Program Files directory 63 IoCs

description	ioc	Process
File created	C:\PROGRA~3\WEBVIE~1\icon128.plasmo.3c1ed2d2.png	extension_dropper.exe
File opened for modification	C:\PROGRA~3\WEBVIE~1\icon32.plasmo.76b92899.png	extension_dropper.exe
File created	C:\PROGRA~3\WEBVIE~1\popup.html	extension_dropper.exe
File created	C:\PROGRA~3\WEBVIE~1\static\BACKGR~1\index.js	extension_dropper.exe
File created	C:\PROGRA~3\WEBVIE~1\contents.d42e7fcf.js	dlaos.exe
File created	C:\PROGRA~3\WEBVIE~1\icon48.plasmo.aced7582.png	dlaos.exe
File created	C:\PROGRA~3\WEBVIE~1\handle-main-world.93005d24.js	extension_dropper.exe
File created	C:\PROGRA~3\WEBVIE~1\tracktor.39faf6eb.js	dlaos.exe
File opened for modification	C:\PROGRA~3\WEBVIE~1\grabber.e414ca58.js	extension_dropper.exe
File created	C:\PROGRA~3\WEBVIE~1\manifest.json	extension_dropper.exe
File opened for modification	C:\PROGRA~3\WEBVIE~1\tracktor.39faf6eb.js	extension_dropper.exe
File opened for modification	C:\PROGRA~3\WEBVIE~1\icon16.plasmo.6c567d50.png	extension_dropper.exe
File created	C:\PROGRA~3\WEBVIE~1\popup.100f6462.js	extension_dropper.exe
File created	C:\PROGRA~3\WEBVIE~1\script-injector.92f3fc68.js	extension_dropper.exe
File created	C:\PROGRA~3\WEBVIE~1\handle-main-world.93005d24.js	dlaos.exe
File created	C:\PROGRA~3\WEBVIE~1\iframe.739970f9.js	dlaos.exe
File created	C:\PROGRA~3\WEBVIE~1\icon16.plasmo.6c567d50.png	extension_dropper.exe
File opened for modification	C:\PROGRA~3\WEBVIE~1\contents.d42e7fcf.js	extension_dropper.exe
File created	C:\PROGRA~3\WEBVIE~1\hides.19587cd2.js	extension_dropper.exe
File opened for modification	C:\PROGRA~3\WEBVIE~1\icon64.plasmo.8bb5e6e0.png	extension_dropper.exe
File opened for modification	C:\PROGRA~3\WEBVIE~1\iframe.739970f9.js	extension_dropper.exe
File created	C:\PROGRA~3\WEBVIE~1\redirect.aba114e6.js	extension_dropper.exe
File created	C:\PROGRA~3\WEBVIE~1\any-url-query-text.8d96bb67.js	extension_dropper.exe
File opened for modification	C:\PROGRA~3\WEBVIE~1\static\BACKGR~1\index.js	extension_dropper.exe
File created	C:\PROGRA~3\WEBVIE~1\icon48.plasmo.aced7582.png	extension_dropper.exe
File opened for modification	C:\PROGRA~3\WEBVIE~1\popup.html	extension_dropper.exe
File opened for modification	C:\PROGRA~3\WEBVIE~1\porter.66760f70.js	extension_dropper.exe
File opened for modification	C:\PROGRA~3\WEBVIE~1\icon48.plasmo.aced7582.png	extension_dropper.exe
File created	C:\PROGRA~3\WEBVIE~1\popup.100f6462.js	dlaos.exe
File created	C:\PROGRA~3\WEBVIE~1\grabber.e414ca58.js	extension_dropper.exe
File opened for modification	C:\PROGRA~3\WEBVIE~1\main-world.af72fae2.js	extension_dropper.exe
File opened for modification	C:\PROGRA~3\WEBVIE~1\manifest.json	extension_dropper.exe
File created	C:\PROGRA~3\WEBVIE~1\client-hub-main-world.26398054.js	dlaos.exe
File created	C:\PROGRA~3\WEBVIE~1\hides.19587cd2.js	dlaos.exe
File created	C:\PROGRA~3\WEBVIE~1\manifest.json	dlaos.exe
File created	C:\PROGRA~3\WEBVIE~1\popup.html	dlaos.exe
File created	C:\PROGRA~3\WEBVIE~1\icon32.plasmo.76b92899.png	extension_dropper.exe
File created	C:\PROGRA~3\WEBVIE~1\porter.66760f70.js	extension_dropper.exe
File created	C:\PROGRA~3\WEBVIE~1\any-url-query-text.8d96bb67.js	dlaos.exe
File created	C:\PROGRA~3\WEBVIE~1\icon16.plasmo.6c567d50.png	dlaos.exe
File opened for modification	C:\PROGRA~3\WEBVIE~1\hides.19587cd2.js	extension_dropper.exe
File opened for modification	C:\PROGRA~3\WEBVIE~1\popup.100f6462.js	extension_dropper.exe
File opened for modification	C:\PROGRA~3\WEBVIE~1\redirect.aba114e6.js	extension_dropper.exe
File created	C:\PROGRA~3\WEBVIE~1\icon32.plasmo.76b92899.png	dlaos.exe
File created	C:\PROGRA~3\WEBVIE~1\icon64.plasmo.8bb5e6e0.png	dlaos.exe
File created	C:\PROGRA~3\WEBVIE~1\main-world.af72fae2.js	extension_dropper.exe
File created	C:\PROGRA~3\WEBVIE~1\grabber.e414ca58.js	dlaos.exe
File opened for modification	C:\PROGRA~3\WEBVIE~1\any-url-query-text.8d96bb67.js	extension_dropper.exe
File created	C:\PROGRA~3\WEBVIE~1\contents.d42e7fcf.js	extension_dropper.exe
File created	C:\PROGRA~3\WEBVIE~1\icon128.plasmo.3c1ed2d2.png	dlaos.exe
File created	C:\PROGRA~3\WEBVIE~1\porter.66760f70.js	dlaos.exe
File created	C:\PROGRA~3\WEBVIE~1\client-hub-main-world.26398054.js	extension_dropper.exe
File created	C:\PROGRA~3\WEBVIE~1\iframe.739970f9.js	extension_dropper.exe
File created	C:\PROGRA~3\WEBVIE~1\redirect.aba114e6.js	dlaos.exe
File opened for modification	C:\PROGRA~3\WEBVIE~1\client-hub-main-world.26398054.js	extension_dropper.exe
File opened for modification	C:\PROGRA~3\WEBVIE~1\icon128.plasmo.3c1ed2d2.png	extension_dropper.exe
File created	C:\PROGRA~3\WEBVIE~1\icon64.plasmo.8bb5e6e0.png	extension_dropper.exe
File opened for modification	C:\PROGRA~3\WEBVIE~1\script-injector.92f3fc68.js	extension_dropper.exe
File created	C:\PROGRA~3\WEBVIE~1\tracktor.39faf6eb.js	extension_dropper.exe
File created	C:\PROGRA~3\WEBVIE~1\main-world.af72fae2.js	dlaos.exe
File created	C:\PROGRA~3\WEBVIE~1\script-injector.92f3fc68.js	dlaos.exe
File created	C:\PROGRA~3\WEBVIE~1\static\BACKGR~1\index.js	dlaos.exe
File opened for modification	C:\PROGRA~3\WEBVIE~1\handle-main-world.93005d24.js	extension_dropper.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SchedulesAb	random.exe
File opened for modification	C:\Windows\ContainsBefore	random.exe
File opened for modification	C:\Windows\TokenDetroit	random.exe
File opened for modification	C:\Windows\AttacksContacted	random.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlaos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Macromedia.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extension_dropper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjkm5hE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wind.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cHSzTDjVl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe

Modifies system certificate store 2 TTPs 8 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	New Text Document mod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	New Text Document mod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Bjkm5hE.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Bjkm5hE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	New Text Document mod.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	New Text Document mod.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
608	schtasks.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
3064	extension_dropper.exe
3060	dlaos.exe
3060	dlaos.exe
3060	dlaos.exe
3060	dlaos.exe
3060	dlaos.exe
3060	dlaos.exe
3060	dlaos.exe
3060	dlaos.exe
3060	dlaos.exe
3060	dlaos.exe
3060	dlaos.exe
3060	dlaos.exe
3060	dlaos.exe
3060	dlaos.exe
3060	dlaos.exe
3060	dlaos.exe
3060	dlaos.exe
3060	dlaos.exe
3060	dlaos.exe
3060	dlaos.exe
852	Macromedia.com
852	Macromedia.com
852	Macromedia.com
852	Macromedia.com
852	Macromedia.com
852	Macromedia.com
852	Macromedia.com
852	Macromedia.com
852	Macromedia.com
852	Macromedia.com
852	Macromedia.com
852	Macromedia.com
852	Macromedia.com
852	Macromedia.com
852	Macromedia.com
852	Macromedia.com
852	Macromedia.com
852	Macromedia.com
852	Macromedia.com
2952	Bjkm5hE.exe
852	Macromedia.com
852	Macromedia.com
3060	dlaos.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1836	New Text Document mod.exe
Token: SeDebugPrivilege	2380	tasklist.exe
Token: SeDebugPrivilege	1792	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
852	Macromedia.com
852	Macromedia.com
852	Macromedia.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
852	Macromedia.com
852	Macromedia.com
852	Macromedia.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 3064	1836	New Text Document mod.exe	32
PID 1836 wrote to memory of 3064	1836	New Text Document mod.exe	32
PID 1836 wrote to memory of 3064	1836	New Text Document mod.exe	32
PID 1836 wrote to memory of 3064	1836	New Text Document mod.exe	32
PID 1836 wrote to memory of 3060	1836	New Text Document mod.exe	33
PID 1836 wrote to memory of 3060	1836	New Text Document mod.exe	33
PID 1836 wrote to memory of 3060	1836	New Text Document mod.exe	33
PID 1836 wrote to memory of 3060	1836	New Text Document mod.exe	33
PID 1836 wrote to memory of 2920	1836	New Text Document mod.exe	34
PID 1836 wrote to memory of 2920	1836	New Text Document mod.exe	34
PID 1836 wrote to memory of 2920	1836	New Text Document mod.exe	34
PID 1836 wrote to memory of 2920	1836	New Text Document mod.exe	34
PID 2920 wrote to memory of 1616	2920	random.exe	35
PID 2920 wrote to memory of 1616	2920	random.exe	35
PID 2920 wrote to memory of 1616	2920	random.exe	35
PID 2920 wrote to memory of 1616	2920	random.exe	35
PID 1616 wrote to memory of 2380	1616	cmd.exe	37
PID 1616 wrote to memory of 2380	1616	cmd.exe	37
PID 1616 wrote to memory of 2380	1616	cmd.exe	37
PID 1616 wrote to memory of 2380	1616	cmd.exe	37
PID 1616 wrote to memory of 2512	1616	cmd.exe	38
PID 1616 wrote to memory of 2512	1616	cmd.exe	38
PID 1616 wrote to memory of 2512	1616	cmd.exe	38
PID 1616 wrote to memory of 2512	1616	cmd.exe	38
PID 1616 wrote to memory of 1792	1616	cmd.exe	40
PID 1616 wrote to memory of 1792	1616	cmd.exe	40
PID 1616 wrote to memory of 1792	1616	cmd.exe	40
PID 1616 wrote to memory of 1792	1616	cmd.exe	40
PID 1616 wrote to memory of 1140	1616	cmd.exe	41
PID 1616 wrote to memory of 1140	1616	cmd.exe	41
PID 1616 wrote to memory of 1140	1616	cmd.exe	41
PID 1616 wrote to memory of 1140	1616	cmd.exe	41
PID 1616 wrote to memory of 1260	1616	cmd.exe	42
PID 1616 wrote to memory of 1260	1616	cmd.exe	42
PID 1616 wrote to memory of 1260	1616	cmd.exe	42
PID 1616 wrote to memory of 1260	1616	cmd.exe	42
PID 1616 wrote to memory of 1364	1616	cmd.exe	43
PID 1616 wrote to memory of 1364	1616	cmd.exe	43
PID 1616 wrote to memory of 1364	1616	cmd.exe	43
PID 1616 wrote to memory of 1364	1616	cmd.exe	43
PID 1616 wrote to memory of 1412	1616	cmd.exe	44
PID 1616 wrote to memory of 1412	1616	cmd.exe	44
PID 1616 wrote to memory of 1412	1616	cmd.exe	44
PID 1616 wrote to memory of 1412	1616	cmd.exe	44
PID 1616 wrote to memory of 2168	1616	cmd.exe	45
PID 1616 wrote to memory of 2168	1616	cmd.exe	45
PID 1616 wrote to memory of 2168	1616	cmd.exe	45
PID 1616 wrote to memory of 2168	1616	cmd.exe	45
PID 1836 wrote to memory of 2952	1836	New Text Document mod.exe	47
PID 1836 wrote to memory of 2952	1836	New Text Document mod.exe	47
PID 1836 wrote to memory of 2952	1836	New Text Document mod.exe	47
PID 1836 wrote to memory of 2952	1836	New Text Document mod.exe	47
PID 1616 wrote to memory of 2268	1616	cmd.exe	46
PID 1616 wrote to memory of 2268	1616	cmd.exe	46
PID 1616 wrote to memory of 2268	1616	cmd.exe	46
PID 1616 wrote to memory of 2268	1616	cmd.exe	46
PID 1616 wrote to memory of 852	1616	cmd.exe	48
PID 1616 wrote to memory of 852	1616	cmd.exe	48
PID 1616 wrote to memory of 852	1616	cmd.exe	48
PID 1616 wrote to memory of 852	1616	cmd.exe	48
PID 1616 wrote to memory of 1536	1616	cmd.exe	49
PID 1616 wrote to memory of 1536	1616	cmd.exe	49
PID 1616 wrote to memory of 1536	1616	cmd.exe	49
PID 1616 wrote to memory of 1536	1616	cmd.exe	49

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
1⤵
- Downloads MZ/PE file
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Users\Admin\AppData\Local\Temp\a\extension_dropper.exe
  "C:\Users\Admin\AppData\Local\Temp\a\extension_dropper.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3064
- C:\Users\Admin\AppData\Local\Temp\a\dlaos.exe
  "C:\Users\Admin\AppData\Local\Temp\a\dlaos.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3060
- C:\Users\Admin\AppData\Local\Temp\a\random.exe
  "C:\Users\Admin\AppData\Local\Temp\a\random.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy Turner Turner.cmd & Turner.cmd
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2380
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "opssvc wrsa"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2512
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1792
  - - C:\Windows\SysWOW64\findstr.exe
      findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1140
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 764661
      4⤵
      System Location Discovery: System Language Discovery
      PID:1260
  - - C:\Windows\SysWOW64\extrac32.exe
      extrac32 /Y /E Fm
      4⤵
      System Location Discovery: System Language Discovery
      PID:1364
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "Tunnel" Addresses
      4⤵
      System Location Discovery: System Language Discovery
      PID:1412
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b 764661\Macromedia.com + Totally + York + Drunk + Baghdad + Benz + Glasses + Pac + Tender + Racing + Deluxe + Derived 764661\Macromedia.com
      4⤵
      System Location Discovery: System Language Discovery
      PID:2168
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Complement + ..\Soundtrack + ..\Plumbing + ..\Hills F
      4⤵
      System Location Discovery: System Language Discovery
      PID:2268
  - - C:\Users\Admin\AppData\Local\Temp\764661\Macromedia.com
      Macromedia.com F
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:852
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /create /tn "AchillesGuard" /tr "wscript //B 'C:\Users\Admin\AppData\Local\GuardTech Solutions\AchillesGuard.js'" /sc onlogon /F /RL HIGHEST
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:608
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        5⤵
        
        PID:1972
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 15
      4⤵
      System Location Discovery: System Language Discovery
      PID:1536
- C:\Users\Admin\AppData\Local\Temp\a\Bjkm5hE.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Bjkm5hE.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  PID:2952
- C:\Users\Admin\AppData\Local\Temp\a\cHSzTDjVl.exe
  "C:\Users\Admin\AppData\Local\Temp\a\cHSzTDjVl.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3064
- C:\Users\Admin\AppData\Local\Temp\a\wind.exe
  "C:\Users\Admin\AppData\Local\Temp\a\wind.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion