xmrig | 9c748a69c48b79e6422b3bea1766e415de5532cb7ba2b9673d5a51163e6c1df2

General

Target

3dcd284892131ed336b5801c7993d3ed.exe
Size

1.8MB
MD5

3dcd284892131ed336b5801c7993d3ed
SHA1

b1055faf8ac2c14ce5c45f1954c45f7ab6a986eb
SHA256

9c748a69c48b79e6422b3bea1766e415de5532cb7ba2b9673d5a51163e6c1df2
SHA512

9fb9ee8903ded8051ca40b1d6f780c7b475255987ee592e35ccebc7119fdef6202f2f80b47e00eedb1434649c299eea1f1f3580d1a65f9c19d54e6626f9e4b76

Score

10^/10

xmrig miner persistence ransomware spyware

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Executes dropped EXE 1 IoCs

Processes:

WindowsNetworkManager.exe

pid process

4332 WindowsNetworkManager.exe
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

WindowsNetworkManager.exe

description ioc process

File created C:\Users\Admin\Pictures\ExpandSubmit.raw.v316 WindowsNetworkManager.exe
Deletes itself 1 IoCs

Processes:

WindowsNetworkManager.exe

pid process

4332 WindowsNetworkManager.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4332	WindowsNetworkManager.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\ExpandSubmit.raw.v316	WindowsNetworkManager.exe

pid	process
4332	WindowsNetworkManager.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3dcd284892131ed336b5801c7993d3ed.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\SystemRec.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\Z-6-8-02-0147281012-018237041-9816430924-9142\\P-1-5-16-7923435274-12478148975817408994-4122\\SystemRec.exe"	3dcd284892131ed336b5801c7993d3ed.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

3dcd284892131ed336b5801c7993d3ed.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	3dcd284892131ed336b5801c7993d3ed.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	3dcd284892131ed336b5801c7993d3ed.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 checkip.dyndns.org

flow	ioc
7	checkip.dyndns.org

Drops file in System32 directory 3 IoCs

Processes:

3dcd284892131ed336b5801c7993d3ed.exeWindowsNetworkManager.exe

description	ioc	process
File created	C:\Windows\SysWOW64\msmgr.exe	3dcd284892131ed336b5801c7993d3ed.exe
File opened for modification	C:\Windows\SysWOW64\msmgr.exe	3dcd284892131ed336b5801c7993d3ed.exe
File created	C:\Windows\SysWOW64\msmgr.exe	WindowsNetworkManager.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

WindowsNetworkManager.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\Desktop\Wallpaper	WindowsNetworkManager.exe

Drops file in Program Files directory 16169 IoCs

Processes:

WindowsNetworkManager.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\List.txt.v316	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\Assets\contrast-white\OneConnectAppList.targetsize-16.png	WindowsNetworkManager.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesdistinctive.dotx.v316	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\autumn_12d.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Moon.png	WindowsNetworkManager.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_share_18.svg.v316	WindowsNetworkManager.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_gridview_selected.svg.v316	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-48.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-30.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\DataStreamerLibrary.dll.config	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\xj_60x42.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\ribbon.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Dark.scale-300.png	WindowsNetworkManager.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	WindowsNetworkManager.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\SearchEmail2x.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-ae\ui-strings.js	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green.xml	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_neutral_split.scale-180_8wekyb3d8bbwe\Assets\Office\SelectAll.scale-180.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs_ja.jar	WindowsNetworkManager.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\eu-es\ui-strings.js	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-80_contrast-black.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\animations\OneNoteFRE_ClipAndAdd_RTL_Phone.mp4	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\6584_24x24x32.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-256_altform-unplated.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\40.jpg	WindowsNetworkManager.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\es-es\ui-strings.js	WindowsNetworkManager.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\rhp\pages-app-tool-view.js.v316	WindowsNetworkManager.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-fr\ui-strings.js.v316	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-40_altform-colorize.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\friends_activity.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\za_60x42.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\OneConnectStoreLogo.scale-100.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailWideTile.scale-100.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-200_contrast-black.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSmallTile.scale-400.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\challenge\Go_for_the_Silver_Unearned_small.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\8.jpg	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\ExchangeSmallTile.scale-125.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-100_contrast-white.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-180.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\phone.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxMailSplashLogo.scale-125.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Icons\freecell_menu_icon.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_neutral_resources.scale-150_8wekyb3d8bbwe\Assets\contrast-white\iheart-radio.scale-150_contrast-white.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\ui-strings.js	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TimerLargeTile.scale-100.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png	WindowsNetworkManager.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\da-dk\ui-strings.js.v316	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\5311_20x20x32.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\pizza.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\8196_32x32x32.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSplashLogo.scale-200.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\10393_36x36x32.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_checkbox_partialselected-default_18.svg	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosLogoExtensions.targetsize-64.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarLargeTile.scale-200.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-36.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubAppList.scale-100.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteNotebookMedTile.scale-400.png	WindowsNetworkManager.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\mix.gif	WindowsNetworkManager.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_newfolder_dark_18.svg.v316	WindowsNetworkManager.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\flags.png.v316	WindowsNetworkManager.exe

Drops file in Windows directory 3 IoCs

Processes:

3dcd284892131ed336b5801c7993d3ed.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	3dcd284892131ed336b5801c7993d3ed.exe
File created	C:\Windows\assembly\Desktop.ini	3dcd284892131ed336b5801c7993d3ed.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	3dcd284892131ed336b5801c7993d3ed.exe

Suspicious behavior: EnumeratesProcesses 277 IoCs

Processes:

3dcd284892131ed336b5801c7993d3ed.exeWindowsNetworkManager.exe

pid	process
4764	3dcd284892131ed336b5801c7993d3ed.exe
4764	3dcd284892131ed336b5801c7993d3ed.exe
4764	3dcd284892131ed336b5801c7993d3ed.exe
4764	3dcd284892131ed336b5801c7993d3ed.exe
4764	3dcd284892131ed336b5801c7993d3ed.exe
4764	3dcd284892131ed336b5801c7993d3ed.exe
4764	3dcd284892131ed336b5801c7993d3ed.exe
4764	3dcd284892131ed336b5801c7993d3ed.exe
4764	3dcd284892131ed336b5801c7993d3ed.exe
4764	3dcd284892131ed336b5801c7993d3ed.exe
4764	3dcd284892131ed336b5801c7993d3ed.exe
4764	3dcd284892131ed336b5801c7993d3ed.exe
4764	3dcd284892131ed336b5801c7993d3ed.exe
4764	3dcd284892131ed336b5801c7993d3ed.exe
4764	3dcd284892131ed336b5801c7993d3ed.exe
4764	3dcd284892131ed336b5801c7993d3ed.exe
4764	3dcd284892131ed336b5801c7993d3ed.exe
4764	3dcd284892131ed336b5801c7993d3ed.exe
4764	3dcd284892131ed336b5801c7993d3ed.exe
4764	3dcd284892131ed336b5801c7993d3ed.exe
4764	3dcd284892131ed336b5801c7993d3ed.exe
4764	3dcd284892131ed336b5801c7993d3ed.exe
4764	3dcd284892131ed336b5801c7993d3ed.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe
4332	WindowsNetworkManager.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3dcd284892131ed336b5801c7993d3ed.exeWindowsNetworkManager.exe

description pid process

Token: SeDebugPrivilege 4764 3dcd284892131ed336b5801c7993d3ed.exe
Token: SeDebugPrivilege 4332 WindowsNetworkManager.exe

description	pid	process
Token: SeDebugPrivilege	4764	3dcd284892131ed336b5801c7993d3ed.exe
Token: SeDebugPrivilege	4332	WindowsNetworkManager.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

3dcd284892131ed336b5801c7993d3ed.exe

description	pid	process	target process
PID 4764 wrote to memory of 4332	4764	3dcd284892131ed336b5801c7993d3ed.exe	WindowsNetworkManager.exe
PID 4764 wrote to memory of 4332	4764	3dcd284892131ed336b5801c7993d3ed.exe	WindowsNetworkManager.exe
PID 4764 wrote to memory of 4332	4764	3dcd284892131ed336b5801c7993d3ed.exe	WindowsNetworkManager.exe

C:\Users\Admin\AppData\Local\Temp\3dcd284892131ed336b5801c7993d3ed.exe
"C:\Users\Admin\AppData\Local\Temp\3dcd284892131ed336b5801c7993d3ed.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Microsoft\Windows\WindowsNetworkManager.exe
  "C:\Microsoft\Windows\WindowsNetworkManager.exe" C:\Users\Admin\AppData\Local\Temp\3dcd284892131ed336b5801c7993d3ed.exe
  2⤵
  - Executes dropped EXE
  - Modifies extensions of user files
  - Deletes itself
  - Drops file in System32 directory
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Microsoft\Windows\WindowsNetworkManager.exe

MD5
3dcd284892131ed336b5801c7993d3ed

SHA1
b1055faf8ac2c14ce5c45f1954c45f7ab6a986eb

SHA256
9c748a69c48b79e6422b3bea1766e415de5532cb7ba2b9673d5a51163e6c1df2

SHA512
9fb9ee8903ded8051ca40b1d6f780c7b475255987ee592e35ccebc7119fdef6202f2f80b47e00eedb1434649c299eea1f1f3580d1a65f9c19d54e6626f9e4b76

Download Submit
C:\Microsoft\Windows\WindowsNetworkManager.exe

MD5
3dcd284892131ed336b5801c7993d3ed

SHA1
b1055faf8ac2c14ce5c45f1954c45f7ab6a986eb

SHA256
9c748a69c48b79e6422b3bea1766e415de5532cb7ba2b9673d5a51163e6c1df2

SHA512
9fb9ee8903ded8051ca40b1d6f780c7b475255987ee592e35ccebc7119fdef6202f2f80b47e00eedb1434649c299eea1f1f3580d1a65f9c19d54e6626f9e4b76

Download Submit
memory/4332-3-0x0000000000000000-mapping.dmp

Download
memory/4332-6-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/4764-2-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads