xmrig | 99e3d7fbbc0313a026f831c5304f4eee5b022e646416d8347d547ada3addb21f

General

Target

b59e14046324524903d77687b3477d04.exe
Size

6.5MB
MD5

b59e14046324524903d77687b3477d04
SHA1

8596c6b591cfee14ee3dfd1abccc9c1cbacb1df5
SHA256

99e3d7fbbc0313a026f831c5304f4eee5b022e646416d8347d547ada3addb21f
SHA512

a8a8cc7640207fc628d92b9ee21c1536c19d277a81c4c4925966efff1e52f6c76798f056871266f9c2243d9fdd3b86c435645801e1834324e1c760e48e31e103

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4712-2-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral2/memory/4712-4-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig

UPX packed file 105 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

yara_rule
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx
upx

Drops desktop.ini file(s) 2 IoCs

Processes:

b59e14046324524903d77687b3477d04.exe

description	ioc	process
File created	C:\$Recycle.Bin\S-1-5-21-3341490333-719741536-2920803124-1000\desktop.ini	b59e14046324524903d77687b3477d04.exe
File created	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	b59e14046324524903d77687b3477d04.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in Program Files directory 1075 IoCs

Processes:

b59e14046324524903d77687b3477d04.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\elevation_service.exe	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_zh_CN.properties	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.ini	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\PYCC.pf	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\jawt.lib	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.RSA	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.ja_5.5.0.165303.jar	b59e14046324524903d77687b3477d04.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\zh-CN.pak	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	b59e14046324524903d77687b3477d04.exe
File created	C:\Program Files\Common Files\System\DirectDB.dll	b59e14046324524903d77687b3477d04.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-join.avi	b59e14046324524903d77687b3477d04.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\tabskb.dll	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\VisualElements\SmallLogoDev.png	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_CopyDrop32x32.gif	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jsse.jar	b59e14046324524903d77687b3477d04.exe
File created	C:\Program Files\Common Files\System\ado\msadomd28.tlb	b59e14046324524903d77687b3477d04.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll	b59e14046324524903d77687b3477d04.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml	b59e14046324524903d77687b3477d04.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	b59e14046324524903d77687b3477d04.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	b59e14046324524903d77687b3477d04.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\sawindbg.dll	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\install.ins	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	b59e14046324524903d77687b3477d04.exe
File created	C:\Program Files\Common Files\System\msadc\msaddsr.dll	b59e14046324524903d77687b3477d04.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\mshwgst.dll	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\org.eclipse.rcp_root_4.4.0.v20141007-2301	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\README-JDK.html	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_fr.jar	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.commands_5.5.0.165303.jar	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.common_5.5.0.165303.jar	b59e14046324524903d77687b3477d04.exe
File created	C:\Program Files\Common Files\microsoft shared\Stationery\Orange Circles.htm	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	b59e14046324524903d77687b3477d04.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jfr.dll	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\jconsole.jar	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	b59e14046324524903d77687b3477d04.exe
File created	C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui	b59e14046324524903d77687b3477d04.exe
File created	C:\Program Files\Common Files\System\ado\msadrh15.dll	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\86.0.4240.111\Locales\pt-BR.pak	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\jawt.h	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ro-ro.dll	b59e14046324524903d77687b3477d04.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui	b59e14046324524903d77687b3477d04.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	b59e14046324524903d77687b3477d04.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	b59e14046324524903d77687b3477d04.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\en-US\TipTsf.dll.mui	b59e14046324524903d77687b3477d04.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	taskmgr.exe

Modifies Internet Explorer start page 1 TTPs 3 IoCs

stealer

Modify Registry

T1112

Processes:

b59e14046324524903d77687b3477d04.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.wLBJYFypeE.com"	b59e14046324524903d77687b3477d04.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.hUyFxiGJBP.com"	b59e14046324524903d77687b3477d04.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.KIjoQkZryY.com"	b59e14046324524903d77687b3477d04.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

b59e14046324524903d77687b3477d04.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	b59e14046324524903d77687b3477d04.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	b59e14046324524903d77687b3477d04.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	b59e14046324524903d77687b3477d04.exe

Suspicious behavior: EnumeratesProcesses 79 IoCs

Processes:

taskmgr.exe

pid	process
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

b59e14046324524903d77687b3477d04.exetaskmgr.exe

description	pid	process
Token: SeLockMemoryPrivilege	4712	b59e14046324524903d77687b3477d04.exe
Token: SeLockMemoryPrivilege	4712	b59e14046324524903d77687b3477d04.exe
Token: SeDebugPrivilege	792	taskmgr.exe
Token: SeSystemProfilePrivilege	792	taskmgr.exe
Token: SeCreateGlobalPrivilege	792	taskmgr.exe

Suspicious use of FindShellTrayWindow 91 IoCs

Processes:

taskmgr.exe

pid	process
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe

Suspicious use of SendNotifyMessage 91 IoCs

Processes:

taskmgr.exe

pid	process
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe
792	taskmgr.exe

C:\Users\Admin\AppData\Local\Temp\b59e14046324524903d77687b3477d04.exe
"C:\Users\Admin\AppData\Local\Temp\b59e14046324524903d77687b3477d04.exe"
1⤵
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies Internet Explorer start page
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:4712

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4712-2-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/4712-3-0x00000000000A0000-0x00000000000B0000-memory.dmp

Filesize
64KB

Download
memory/4712-4-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads