760f5ddd00760be411967d77224b29a48e00e1eed0e978ba4017979595d1637e

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	647ab91c9355e42a7d39ffda3cedfa52.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 9 IoCs

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	647ab91c9355e42a7d39ffda3cedfa52.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableCloudProtection = "1"	647ab91c9355e42a7d39ffda3cedfa52.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	647ab91c9355e42a7d39ffda3cedfa52.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning = "1"	647ab91c9355e42a7d39ffda3cedfa52.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	647ab91c9355e42a7d39ffda3cedfa52.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\SubmitSamplesConsent = "2"	647ab91c9355e42a7d39ffda3cedfa52.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableNetworkProtection = "1"	647ab91c9355e42a7d39ffda3cedfa52.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	647ab91c9355e42a7d39ffda3cedfa52.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBlockAtFirstSeen = "1"	647ab91c9355e42a7d39ffda3cedfa52.exe

Modifies Windows Defender notification settings 3 TTPs 2 IoCs

Windows Service

Modify Registry

Disable or Modify Tools

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	647ab91c9355e42a7d39ffda3cedfa52.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	647ab91c9355e42a7d39ffda3cedfa52.exe

Modifies firewall policy service 3 TTPs 6 IoCs

Modify Registry

Windows Service

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\DisableNotifications = "1"	647ab91c9355e42a7d39ffda3cedfa52.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	647ab91c9355e42a7d39ffda3cedfa52.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1"	647ab91c9355e42a7d39ffda3cedfa52.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	647ab91c9355e42a7d39ffda3cedfa52.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	647ab91c9355e42a7d39ffda3cedfa52.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	647ab91c9355e42a7d39ffda3cedfa52.exe

Modifies security service 2 TTPs 2 IoCs

Modify Registry

Windows Service

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	647ab91c9355e42a7d39ffda3cedfa52.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	647ab91c9355e42a7d39ffda3cedfa52.exe

UAC bypass 3 TTPs 1 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	647ab91c9355e42a7d39ffda3cedfa52.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	647ab91c9355e42a7d39ffda3cedfa52.exe

Identifies Xen via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

Query Registry

Virtualization/Sandbox Evasion

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\Xen	647ab91c9355e42a7d39ffda3cedfa52.exe

Disables Task Manager via registry modification
defense_evasion
Disables use of System Restore points 1 TTPs
defense_evasion

Inhibit System Recovery
T1490

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	647ab91c9355e42a7d39ffda3cedfa52.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	647ab91c9355e42a7d39ffda3cedfa52.exe

Deletes itself 1 IoCs

pid	Process
1876	powershell.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\u1s0wdup.tma.exe	647ab91c9355e42a7d39ffda3cedfa52.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	647ab91c9355e42a7d39ffda3cedfa52.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	647ab91c9355e42a7d39ffda3cedfa52.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Modifies Security services 2 TTPs 1 IoCs

Modifies the startup behavior of a security service.

Modify Registry

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Start = "4"	647ab91c9355e42a7d39ffda3cedfa52.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Prefetch\POWERSHELL.EXE-920BBA2A.pf	647ab91c9355e42a7d39ffda3cedfa52.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 2 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

persistence privilege_escalation

Ignore Process Interrupts

T1564.011

pid	Process
4428	powershell.exe
1876	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 1 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	647ab91c9355e42a7d39ffda3cedfa52.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	647ab91c9355e42a7d39ffda3cedfa52.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	647ab91c9355e42a7d39ffda3cedfa52.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	647ab91c9355e42a7d39ffda3cedfa52.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	647ab91c9355e42a7d39ffda3cedfa52.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	647ab91c9355e42a7d39ffda3cedfa52.exe

Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	647ab91c9355e42a7d39ffda3cedfa52.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	647ab91c9355e42a7d39ffda3cedfa52.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1708	647ab91c9355e42a7d39ffda3cedfa52.exe
1708	647ab91c9355e42a7d39ffda3cedfa52.exe
1708	647ab91c9355e42a7d39ffda3cedfa52.exe
1708	647ab91c9355e42a7d39ffda3cedfa52.exe
1708	647ab91c9355e42a7d39ffda3cedfa52.exe
1708	647ab91c9355e42a7d39ffda3cedfa52.exe
1708	647ab91c9355e42a7d39ffda3cedfa52.exe
1708	647ab91c9355e42a7d39ffda3cedfa52.exe
1708	647ab91c9355e42a7d39ffda3cedfa52.exe
4428	powershell.exe
4428	powershell.exe
1876	powershell.exe
1876	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1708	647ab91c9355e42a7d39ffda3cedfa52.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	1876	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 4428	1708	647ab91c9355e42a7d39ffda3cedfa52.exe	87
PID 1708 wrote to memory of 4428	1708	647ab91c9355e42a7d39ffda3cedfa52.exe	87
PID 1708 wrote to memory of 1876	1708	647ab91c9355e42a7d39ffda3cedfa52.exe	89
PID 1708 wrote to memory of 1876	1708	647ab91c9355e42a7d39ffda3cedfa52.exe	89

System policy modification 1 TTPs 1 IoCs

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	647ab91c9355e42a7d39ffda3cedfa52.exe

C:\Users\Admin\AppData\Local\Temp\647ab91c9355e42a7d39ffda3cedfa52.exe
"C:\Users\Admin\AppData\Local\Temp\647ab91c9355e42a7d39ffda3cedfa52.exe"
1⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- Modifies Windows Defender notification settings
- Modifies firewall policy service
- Modifies security service
- UAC bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Xen via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Drops startup file
- Checks whether UAC is enabled
- Modifies Security services
- Drops file in Windows directory
- Event Triggered Execution: Netsh Helper DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\647ab91c9355e42a7d39ffda3cedfa52.exe' -Force -ErrorAction SilentlyContinue"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\647ab91c9355e42a7d39ffda3cedfa52.exe' -Force -ErrorAction SilentlyContinue"
  2⤵
  - Deletes itself
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Ignore Process Interrupts

T1564.011

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion