xmrig | 4b9afe0a9750dec2d7dc5191281107337cfd58514cc45c794f00827db79df003

General

Target

c0ad70f9_by_Libranalysis.exe
Size

12.3MB
MD5

c0ad70f9c2b3620dd629c84220f06181
SHA1

74459e1ef6e7b892ac1a68a222e36263ebcd01db
SHA256

4b9afe0a9750dec2d7dc5191281107337cfd58514cc45c794f00827db79df003
SHA512

aa01d45f51000177d2bf6034c2ebaacc4309a858f2148845acb67fe4ba582c7adc48aac4cc89437cecb5b4d794304c30d3cdfdfe163743ce5c4cb6e38cad7f91

Score

10^/10

xmrig evasion miner persistence spyware stealer trojan

Malware Config

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 1 IoCs

miner

Processes:

resource	yara_rule
C:\Windows\svchost.exe	xmrig

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

1484 svchost.exe
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1484	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c0ad70f9_by_Libranalysis.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c0ad70f9_by_Libranalysis.exe"	c0ad70f9_by_Libranalysis.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

c0ad70f9_by_Libranalysis.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c0ad70f9_by_Libranalysis.exe

Drops file in System32 directory 64 IoCs

Processes:

c0ad70f9_by_Libranalysis.exe

description	ioc	process
File created	C:\Windows\SysWOW64\SyncHost.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\timeout.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\typeperf.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\regedit.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\at.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\certutil.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\odbcconf.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\rasphone.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\Mystify.scr	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\diskcomp.com	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\cliconfg.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\makecab.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\ocsetup.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\pcaui.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\xpsrchvw.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\dpnsvr.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\MuiUnattend.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\wevtutil.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\wowreg32.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\IME\IMEJP10\IMJPUEX.EXE	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\RMActivate_isv.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\sbunattend.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\tasklist.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\cmstp.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\control.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\ipconfig.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\nslookup.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\proquota.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\winrs.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\TSTheme.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\UserAccountControlSettings.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\wininit.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\bitsadmin.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\driverquery.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\mcbuilder.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\newdev.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\printui.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\dllhst3g.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\netbtugc.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\wecutil.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\com\comrepl.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\autochk.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\chcp.com	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wvmic.inf_amd64_neutral_b94eb92e8150fa35\vmicsvc.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\AtBroker.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\auditpol.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\cmmon32.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\dnscacheugc.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\sdiagnhost.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\hdwwiz.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\ROUTE.EXE	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\unregmp2.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\SetIEInstalledDate.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\secinit.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\WerFaultSecure.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\cttune.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\extrac32.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\gpupdate.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\Magnify.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\PkgMgr.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\verifier.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\DevicePairingWizard.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\diskraid.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\ieUnatt.exe	c0ad70f9_by_Libranalysis.exe

Drops file in Program Files directory 64 IoCs

Processes:

c0ad70f9_by_Libranalysis.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewFrame.html	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm	c0ad70f9_by_Libranalysis.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.htm	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlm.html	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsDoNotTrust.html	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jre7\Welcome.html	c0ad70f9_by_Libranalysis.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\slideShow.html	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Program Files\Windows Media Player\wmprph.exe	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPrintTemplate.html	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Program Files\Windows Media Player\wmpshare.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html	c0ad70f9_by_Libranalysis.exe
File created	C:\Program Files (x86)\Windows Media Player\wmpenc.exe	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsImageTemplate.html	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Program Files\Windows Journal\PDIALOG.exe	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\TECHTOOL.HTM	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html	c0ad70f9_by_Libranalysis.exe
File created	C:\Program Files\Windows Mail\wab.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Program Files\Windows Media Player\wmpenc.exe	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html	c0ad70f9_by_Libranalysis.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\flyout.html	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsMacroTemplate.html	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBrowserUpgrade.html	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBlankPage.html	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplate.html	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jre7\bin\servertool.exe	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile.html	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE	c0ad70f9_by_Libranalysis.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\clock.html	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html	c0ad70f9_by_Libranalysis.exe

Drops file in Windows directory 64 IoCs

Processes:

c0ad70f9_by_Libranalysis.exe

description	ioc	process
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-9.htm	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\mcupdate\f30beba36940b5a2b55a32ea7f42d694\mcupdate.ni.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..etexplorer-optional_31bf3856ad364e35_11.2.9600.16428_none_7b0d6f67c2d3f97a\iexplore.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..-odbc-administrator_31bf3856ad364e35_6.1.7600.16385_none_a044d905576812d4\odbcad32.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-coreusermodepnp_31bf3856ad364e35_6.1.7601.17514_none_df7c5af777ec4541\drvinst.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-taskmgr_31bf3856ad364e35_6.1.7601.17514_none_16699919077609d2\taskmgr.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-ehrec_31bf3856ad364e35_6.1.7600.16385_none_a6e882bc6eb8ea53\ehrec.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_d911df4e81059b22\subst.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17727_none_6e30004a126a8db7_ntkrnlpa.exe_165c312a	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-sidebar_31bf3856ad364e35_6.1.7601.17514_none_37575b7e71a86712\sidebar.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-tzutil_31bf3856ad364e35_6.1.7601.17514_none_9cbe849a4e275c84\tzutil.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7fddcd6a1ab604da\clock.html	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-makecab_31bf3856ad364e35_6.1.7600.16385_none_f0a5d809ca926e4f\makecab.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..pertiescomputername_31bf3856ad364e35_6.1.7600.16385_none_304988749d91936f\SystemPropertiesComputerName.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\amd64_brmfcmf.inf_31bf3856ad364e35_6.1.7600.16385_none_6f8740b92fea8e01\BrmfRsmg.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-netcfg_31bf3856ad364e35_6.1.7600.16385_none_6c23cd5f6b2a8dbc\netcfg.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\tskill.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-w..for-management-core_31bf3856ad364e35_6.1.7601.17514_none_288b7acec3a75696\wsmprovhost.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\amd64_netfx35linq-addinprocess_31bf3856ad364e35_6.1.7601.17514_none_8ebd3037635a8b2f\AddInProcess.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-shutdown-event-tracker_31bf3856ad364e35_6.1.7600.16385_none_02aa6dd4294b8d5f\shutdown.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-security-secedit_31bf3856ad364e35_6.1.7600.16385_none_0adc1fc1cb6f944b\SecEdit.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-snippingtool-app_31bf3856ad364e35_6.1.7600.16385_none_f5b8f3d6a353fa89\SnippingTool.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wmi-snmp-provider_31bf3856ad364e35_6.1.7601.17514_none_08e183f8dd5f48b7\smi2smir.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-bootconfig_31bf3856ad364e35_6.1.7600.16385_none_0becd32d7b9ba9e5\bootcfg.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-diskraid_31bf3856ad364e35_6.1.7601.17514_none_67910dfbf63c4aae\diskraid.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-bits-bitsadmin_31bf3856ad364e35_6.1.7601.17514_none_ab379671230b963f\bitsadmin.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-diantz_31bf3856ad364e35_6.1.7600.16385_none_02bb0612dc529329\diantz.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-peertopeercollab_31bf3856ad364e35_6.1.7600.16385_none_f32a402a46d391f3\p2phost.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..opertiesperformance_31bf3856ad364e35_6.1.7600.16385_none_b6cb9ed71c8b43d5\SystemPropertiesPerformance.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-setupapi_31bf3856ad364e35_6.1.7601.17514_none_931b5f1fdcdd6496\wowreg32.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\x86_netfx-clrgc_b03f5f7f11d50a3a_6.1.7601.17514_none_f5276fe6b5adf276\clrgc.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-runas_31bf3856ad364e35_6.1.7600.16385_none_5fbe9f67bec0f818\runas.exe	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\ComSvcConfig\d632b7434f821829827657e23ac98589\ComSvcConfig.ni.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..-japanese-utilities_31bf3856ad364e35_6.1.7601.17514_none_4b57445488ba33fd\IMJPUEX.EXE	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-iediag_31bf3856ad364e35_11.2.9600.16428_none_f937400aa65f97cc\iediagcmd.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-security-vault_31bf3856ad364e35_6.1.7600.16385_none_4d5e025e54ba15f8\VaultSysUi.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_6.1.7601.17514_none_42d65ed50fa3c682\query.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-i..i_initiator_service_31bf3856ad364e35_6.1.7601.17514_none_42ee5aff60183c81\iscsicli.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-iecleanup_31bf3856ad364e35_11.2.9600.16428_none_441eccc2f13eab51\iecleanup.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\DataSvcUtil.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-getmac_31bf3856ad364e35_6.1.7600.16385_none_67f38861bbac1910\getmac.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ieinstal_31bf3856ad364e35_11.2.9600.16428_none_caf2ec2ca6b08f27\ieinstal.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-gpowershell-exe_31bf3856ad364e35_6.1.7600.16385_none_9edabb9befc6e697\powershell_ise.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.1.7601.17514_none_698fc88e65b943d6\wmplayer.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-unattendedjoin_31bf3856ad364e35_6.1.7601.17514_none_113aea0e8374286d\djoin.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ing-management-core_31bf3856ad364e35_6.1.7601.17514_none_2d3b8ff08901343f\DismHost.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d158ae10876efd6d\currency.html	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_compiler.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-eventcollector_31bf3856ad364e35_6.1.7601.22252_none_598fe67da49281af\wecutil.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wmi-core-providerhost_31bf3856ad364e35_6.1.7601.17514_none_6e88c3faa2049408\WmiPrvSE.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-wow64_31bf3856ad364e35_6.1.7600.16385_none_ce6f64032560fa6b\user.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.17727_none_6e30004a126a8db7\ntkrnlpa.exe	c0ad70f9_by_Libranalysis.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\0b4d4e172e8054cb61d27f5ab9e0e445\SMSvcHost.ni.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\servicing\GC64\tzupd.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..devicescontrolpanel_31bf3856ad364e35_6.1.7600.16385_none_8094bd7b62d2b435\ImagingDevices.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\amd64_msbuild_b03f5f7f11d50a3a_3.5.7601.17514_none_ea8ca0c25e350957\MSBuild.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.1.7601.17514_none_73e472e09a1a05d1\wmpshare.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ehome-mcglidhost_31bf3856ad364e35_6.1.7600.16385_none_05a2b72417ec1c6a\mcGlidHost.exe	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\Backup\amd64_microsoft-windows-virtualdiskservice_31bf3856ad364e35_6.1.7601.17514_none_c910d80f114e267a_vds.exe_cb461c29	c0ad70f9_by_Libranalysis.exe
File created	C:\Windows\winsxs\Temp\PendingRenames\f092b847da2dd701ee090000d8030809.amd64_microsoft-windows-wmi-core-svc_31bf3856ad364e35_7.2.7601.16406_none_b884f02b3738aab4_winmgmt.exe_8f8eb7b1	c0ad70f9_by_Libranalysis.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

c0ad70f9_by_Libranalysis.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	788	c0ad70f9_by_Libranalysis.exe
Token: 33	788	c0ad70f9_by_Libranalysis.exe
Token: SeIncBasePriorityPrivilege	788	c0ad70f9_by_Libranalysis.exe
Token: SeIncBasePriorityPrivilege	1484	svchost.exe
Token: SeLockMemoryPrivilege	1484	svchost.exe
Token: SeLockMemoryPrivilege	1484	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

c0ad70f9_by_Libranalysis.exe

pid process

788 c0ad70f9_by_Libranalysis.exe

pid	process
788	c0ad70f9_by_Libranalysis.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

c0ad70f9_by_Libranalysis.exe

description	pid	process	target process
PID 788 wrote to memory of 1484	788	c0ad70f9_by_Libranalysis.exe	svchost.exe
PID 788 wrote to memory of 1484	788	c0ad70f9_by_Libranalysis.exe	svchost.exe
PID 788 wrote to memory of 1484	788	c0ad70f9_by_Libranalysis.exe	svchost.exe
PID 788 wrote to memory of 1484	788	c0ad70f9_by_Libranalysis.exe	svchost.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

c0ad70f9_by_Libranalysis.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system	c0ad70f9_by_Libranalysis.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c0ad70f9_by_Libranalysis.exe

C:\Users\Admin\AppData\Local\Temp\c0ad70f9_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\c0ad70f9_by_Libranalysis.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:788

C:\Windows\svchost.exe
"C:\Windows\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1484

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

4

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\config.json
MD5
88c5c5706d2e237422eda18490dc6a59

SHA1
bb8d12375f6b995301e756de2ef4fa3a3f6efd39

SHA256
4756a234ed3d61fe187d9b6140792e54e7b757545edff82df594a507e528ed8e

SHA512
a417270a0d46de5bb06a621c0383c893042a506524713f89ba55567df6e5c3ac8b198bce5a0300ec6e716897bb53fd3e8289a51240157dc743004517673d4ab7

Download Submit
C:\Windows\svchost.exe
MD5
4a87a4d6677558706db4afaeeeb58d20

SHA1
7738dc6a459f8415f0265d36c626b48202cd6764

SHA256
08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7

SHA512
bedd8ed4975df3fcd4a0f575d6f38e3841e7a4b771baac4f72033102a070818b8539eb101c50563d89d4f3454899a1cedb33047b02e421256dedf9aaf258b594

Download Submit
memory/788-60-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/1484-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads