777f77c1c53c3551c89ef44c86c06cbfe0b2bb04374b7d7d9f6153d3ecc3c267

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	4189a83a9b95038e6e32f05b4c69f3b4.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 9 IoCs

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	4189a83a9b95038e6e32f05b4c69f3b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBlockAtFirstSeen = "1"	4189a83a9b95038e6e32f05b4c69f3b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\SubmitSamplesConsent = "2"	4189a83a9b95038e6e32f05b4c69f3b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableNetworkProtection = "1"	4189a83a9b95038e6e32f05b4c69f3b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	4189a83a9b95038e6e32f05b4c69f3b4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	4189a83a9b95038e6e32f05b4c69f3b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableCloudProtection = "1"	4189a83a9b95038e6e32f05b4c69f3b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning = "1"	4189a83a9b95038e6e32f05b4c69f3b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	4189a83a9b95038e6e32f05b4c69f3b4.exe

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

Windows Service

Modify Registry

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	4189a83a9b95038e6e32f05b4c69f3b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	4189a83a9b95038e6e32f05b4c69f3b4.exe

Modifies firewall policy service 3 TTPs 6 IoCs

Modify Registry

Windows Service

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	4189a83a9b95038e6e32f05b4c69f3b4.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	4189a83a9b95038e6e32f05b4c69f3b4.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	4189a83a9b95038e6e32f05b4c69f3b4.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\DisableNotifications = "1"	4189a83a9b95038e6e32f05b4c69f3b4.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	4189a83a9b95038e6e32f05b4c69f3b4.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1"	4189a83a9b95038e6e32f05b4c69f3b4.exe

Modifies security service 2 TTPs 2 IoCs

Modify Registry

Windows Service

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	4189a83a9b95038e6e32f05b4c69f3b4.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	4189a83a9b95038e6e32f05b4c69f3b4.exe

UAC bypass 3 TTPs 1 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4189a83a9b95038e6e32f05b4c69f3b4.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	4189a83a9b95038e6e32f05b4c69f3b4.exe

Identifies Xen via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\Xen	4189a83a9b95038e6e32f05b4c69f3b4.exe

Disables Task Manager via registry modification
defense_evasion
Disables use of System Restore points 1 TTPs
defense_evasion

Inhibit System Recovery
T1490

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4189a83a9b95038e6e32f05b4c69f3b4.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	4189a83a9b95038e6e32f05b4c69f3b4.exe

Deletes itself 1 IoCs

pid	Process
4456	powershell.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yoev0o5b.wx3.exe	4189a83a9b95038e6e32f05b4c69f3b4.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4189a83a9b95038e6e32f05b4c69f3b4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4189a83a9b95038e6e32f05b4c69f3b4.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Modifies Security services 2 TTPs 1 IoCs

Modifies the startup behavior of a security service.

Modify Registry

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Start = "4"	4189a83a9b95038e6e32f05b4c69f3b4.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Prefetch\POWERSHELL.EXE-920BBA2A.pf	4189a83a9b95038e6e32f05b4c69f3b4.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

persistence privilege_escalation

Ignore Process Interrupts

T1564.011

pid	Process
772	powershell.exe
4456	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 1 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	4189a83a9b95038e6e32f05b4c69f3b4.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	4189a83a9b95038e6e32f05b4c69f3b4.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	4189a83a9b95038e6e32f05b4c69f3b4.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	4189a83a9b95038e6e32f05b4c69f3b4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	4189a83a9b95038e6e32f05b4c69f3b4.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	4189a83a9b95038e6e32f05b4c69f3b4.exe

Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	4189a83a9b95038e6e32f05b4c69f3b4.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	4189a83a9b95038e6e32f05b4c69f3b4.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
5488	4189a83a9b95038e6e32f05b4c69f3b4.exe
5488	4189a83a9b95038e6e32f05b4c69f3b4.exe
5488	4189a83a9b95038e6e32f05b4c69f3b4.exe
5488	4189a83a9b95038e6e32f05b4c69f3b4.exe
5488	4189a83a9b95038e6e32f05b4c69f3b4.exe
5488	4189a83a9b95038e6e32f05b4c69f3b4.exe
5488	4189a83a9b95038e6e32f05b4c69f3b4.exe
5488	4189a83a9b95038e6e32f05b4c69f3b4.exe
5488	4189a83a9b95038e6e32f05b4c69f3b4.exe
772	powershell.exe
772	powershell.exe
4456	powershell.exe
4456	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5488	4189a83a9b95038e6e32f05b4c69f3b4.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	4456	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5488 wrote to memory of 772	5488	4189a83a9b95038e6e32f05b4c69f3b4.exe	89
PID 5488 wrote to memory of 772	5488	4189a83a9b95038e6e32f05b4c69f3b4.exe	89
PID 5488 wrote to memory of 4456	5488	4189a83a9b95038e6e32f05b4c69f3b4.exe	92
PID 5488 wrote to memory of 4456	5488	4189a83a9b95038e6e32f05b4c69f3b4.exe	92

System policy modification 1 TTPs 1 IoCs

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4189a83a9b95038e6e32f05b4c69f3b4.exe

C:\Users\Admin\AppData\Local\Temp\4189a83a9b95038e6e32f05b4c69f3b4.exe
"C:\Users\Admin\AppData\Local\Temp\4189a83a9b95038e6e32f05b4c69f3b4.exe"
1⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender notification settings
- Modifies firewall policy service
- Modifies security service
- UAC bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Xen via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Drops startup file
- Checks whether UAC is enabled
- Modifies Security services
- Drops file in Windows directory
- Event Triggered Execution: Netsh Helper DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\4189a83a9b95038e6e32f05b4c69f3b4.exe' -Force -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\4189a83a9b95038e6e32f05b4c69f3b4.exe' -Force -ErrorAction SilentlyContinue"
  2⤵
  - Deletes itself
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Ignore Process Interrupts

T1564.011

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion