Execution
T1059 network_wscript_downloader: Wscript.exe initiated network communication
T1047 antivm_wmi: Uses WMI to detect virtual environment
T1047 has_wmi: Executes one or several WMI requests
T1059.005 obfuscated_vbs: Detected obfuscated VBS
T1059 wscript_info_discovery: Collects info about system with Wscript.Shell
T1059.005 obfuscated_vbs_wmi: Suspicious WMI queries from VBScript file
Persistence
T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1183 persistence_autorun: Makes itself run automatically on Windows startup
T1574 dropper_dll: Creates DLL, which is then loaded into the process
Privilege Escalation
T1547.001 persistence_autorun: Makes itself run automatically on Windows startup
T1183 persistence_autorun: Makes itself run automatically on Windows startup
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1574 dropper_dll: Creates DLL, which is then loaded into the process
Defense Evasion
T1183 persistence_autorun: Makes itself run automatically on Windows startup
T1564.001 stealth_file: Creates hidden or system files
T1562 modify_uac_prompt: Attempts to modify UAC pop-up window behavior
T1562 preventing_process_start: Prevents process start, including Microsoft Defender components and monitoring software
T1562 modify_security_warnings: Attempts to modify or disable security notifications
T1562 disables_uac: Disable UAC
T1112 modifies_associations: Changes the risk level for file types in Attachment Manager
T1027.002 unnamed_memory_regions: Code was executed in unnamed regions
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1222 icacls: May obtain or change Discretionary access control lists (DACLs)
T1027 obfuscated_vbs: Detected obfuscated VBS
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1574 dropper_dll: Creates DLL, which is then loaded into the process
T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)
T1027 obfuscated_vbs_wmi: Suspicious WMI queries from VBScript file
Credential Access
T1555.003 cookie_files: Accesses cookie files
T1552 cookie_files: Accesses cookie files
Discovery
T1033 recon_beacon: The process has sent information about the computer over the network
T1082 has_wmi: Executes one or several WMI requests
T1082 uses_windows_utilities: Uses Windows utilities for basic Windows functionality
T1518.001 wmi_check_av: Uses WMI to check for installed antivirus software
T1497.001 antivm_wmi: Uses WMI to detect virtual environment
T1518 locates_browser: Attempts to identify where browsers are installed
T1082 reads_csrss: Attempts to read csrss.exe memory
T1082 wscript_info_discovery: Collects info about system with Wscript.Shell
T1497.001 antisandbox_script_timer: Detected script timer window (indicative of sleep style evasion)
T1033 wscript_info_discovery: Collects info about system with Wscript.Shell
Command and Control
T1071 network_wscript_downloader: Wscript.exe initiated network communication
T1071.001 recon_beacon: The process has sent information about the computer over the network
T1071.001 network_cnc_http: Suspicious HTTP traffic
T1071.001 network_http: Performs HTTP requests
T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet
Impact
T1490 disables_system_restore: Disables System Restore
Other
yara_rules: Static rules
suricata_alert: Malicious traffic detected
ce_info: Adwind Configuration Data found
locker_taskmgr: Disables Windows Task Manager
creates_many_processes: Spawns a lot of processes (over 70)
networkdyndns_checkip: Connects to a Dynamic DNS domain
adwind: Adwind Trojan indicators detected
creates_exe: Creates executable files in the file system
creates_in_windows: Creates files in the Windows directory
runs_utility_without_cmdline: Runs system utility without arguments (non-typical usage)
executes_dropped_exe: Executes dropped exe files
creates_suspended_process: Creates suspended process
break_limit_exceeded: Warning: function calls limit has been exceeded
creates_in_programdata: Creates files in the ProgramData directory