af65072fd228a47cc3e8a8d1461688c1b53c2ec91949b472decba4d97289253b

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	WScript.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	WScript.exe

Modifies security service 2 TTPs 1 IoCs

defense_evasion

Modify Registry

Windows Service

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	WScript.exe

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2836	powershell.exe
2668	powershell.exe
2740	powershell.exe
916	powershell.exe
2408	powershell.exe
2652	powershell.exe
2912	powershell.exe
2708	powershell.exe
2100	powershell.exe
920	powershell.exe
2932	powershell.exe
1156	powershell.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2668	powershell.exe
2912	powershell.exe
2836	powershell.exe
2740	powershell.exe
916	powershell.exe
2932	powershell.exe
2652	powershell.exe
920	powershell.exe
2100	powershell.exe
2708	powershell.exe
2408	powershell.exe
1156	powershell.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	916	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2820	2864	WScript.exe	30
PID 2864 wrote to memory of 2820	2864	WScript.exe	30
PID 2864 wrote to memory of 2820	2864	WScript.exe	30
PID 2820 wrote to memory of 2912	2820	WScript.exe	31
PID 2820 wrote to memory of 2912	2820	WScript.exe	31
PID 2820 wrote to memory of 2912	2820	WScript.exe	31
PID 2820 wrote to memory of 2932	2820	WScript.exe	33
PID 2820 wrote to memory of 2932	2820	WScript.exe	33
PID 2820 wrote to memory of 2932	2820	WScript.exe	33
PID 2820 wrote to memory of 2708	2820	WScript.exe	35
PID 2820 wrote to memory of 2708	2820	WScript.exe	35
PID 2820 wrote to memory of 2708	2820	WScript.exe	35
PID 2820 wrote to memory of 2836	2820	WScript.exe	37
PID 2820 wrote to memory of 2836	2820	WScript.exe	37
PID 2820 wrote to memory of 2836	2820	WScript.exe	37
PID 2820 wrote to memory of 2668	2820	WScript.exe	39
PID 2820 wrote to memory of 2668	2820	WScript.exe	39
PID 2820 wrote to memory of 2668	2820	WScript.exe	39
PID 2820 wrote to memory of 2740	2820	WScript.exe	41
PID 2820 wrote to memory of 2740	2820	WScript.exe	41
PID 2820 wrote to memory of 2740	2820	WScript.exe	41
PID 2820 wrote to memory of 2100	2820	WScript.exe	43
PID 2820 wrote to memory of 2100	2820	WScript.exe	43
PID 2820 wrote to memory of 2100	2820	WScript.exe	43
PID 2820 wrote to memory of 920	2820	WScript.exe	45
PID 2820 wrote to memory of 920	2820	WScript.exe	45
PID 2820 wrote to memory of 920	2820	WScript.exe	45
PID 2820 wrote to memory of 916	2820	WScript.exe	46
PID 2820 wrote to memory of 916	2820	WScript.exe	46
PID 2820 wrote to memory of 916	2820	WScript.exe	46
PID 2820 wrote to memory of 2408	2820	WScript.exe	49
PID 2820 wrote to memory of 2408	2820	WScript.exe	49
PID 2820 wrote to memory of 2408	2820	WScript.exe	49
PID 2820 wrote to memory of 2652	2820	WScript.exe	50
PID 2820 wrote to memory of 2652	2820	WScript.exe	50
PID 2820 wrote to memory of 2652	2820	WScript.exe	50
PID 2820 wrote to memory of 1156	2820	WScript.exe	53
PID 2820 wrote to memory of 1156	2820	WScript.exe	53
PID 2820 wrote to memory of 1156	2820	WScript.exe	53

System policy modification 1 TTPs 2 IoCs

defense_evasion

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WScript.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\taskbroker.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\taskbroker.vbs" /elevate
  2⤵
  - Modifies Windows Defender DisableAntiSpyware settings
  - Modifies Windows Defender Real-time Protection settings
  - Modifies security service
  - UAC bypass
  - Checks whether UAC is enabled
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -DisableBehaviorMonitoring $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -DisableBlockAtFirstSeen $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -DisableIOAVProtection $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -DisableScriptScanning $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -MAPSReporting 0
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -HighThreatDefaultAction 6 -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -ModerateThreatDefaultAction 6
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -LowThreatDefaultAction 6
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -SevereThreatDefaultAction 6
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\taskbroker.vbs"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry