Analysis
-
max time kernel
576s -
max time network
584s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-07-2021 13:14
Static task
static1
General
-
Target
mine.exe
-
Size
5.9MB
-
MD5
09d83c47610228fcfa9ac97cddd492fe
-
SHA1
fc63d772dfbf7cde2323f39fadcafbae86894c6a
-
SHA256
3d6a3c3b0bfcd73cb4a07aabfdc5a915b7bc38c835cf5d87b724bc5aa7704653
-
SHA512
2b6e85774a56c58e5ce133406924e38d6b4de8fffd5a46b27813cf738b69a28c877f440a863217fa6983813353a54798b608b1db1f95375ddf4a19e82be2a940
Malware Config
Signatures
-
suricata: ET MALWARE Generic gate[.].php GET with minimal headers
-
suricata: ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 6 IoCs
Processes:
MicrosoftApi.exeMicrosoftApi.exeScreanDriver.exeScreanDriver.exeScreanDriver.exeScreanDriver.exepid process 3292 MicrosoftApi.exe 1884 MicrosoftApi.exe 1696 ScreanDriver.exe 2156 ScreanDriver.exe 1940 ScreanDriver.exe 480 ScreanDriver.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
MicrosoftApi.exeMicrosoftApi.exemine.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MicrosoftApi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MicrosoftApi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MicrosoftApi.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion mine.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion mine.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MicrosoftApi.exe -
Processes:
resource yara_rule behavioral1/memory/4060-117-0x00007FF68FC70000-0x00007FF68FC71000-memory.dmp themida C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe themida behavioral1/memory/3292-122-0x00007FF765CA0000-0x00007FF765CA1000-memory.dmp themida C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe themida \??\c:\users\admin\appdata\roaming\servicemicrosoftapi\microsoftapi.exe themida -
Processes:
mine.exeMicrosoftApi.exeMicrosoftApi.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mine.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MicrosoftApi.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MicrosoftApi.exe -
Drops file in System32 directory 1 IoCs
Processes:
mmc.exedescription ioc process File opened for modification C:\Windows\system32\devmgmt.msc mmc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
mine.exeMicrosoftApi.exeMicrosoftApi.exepid process 4060 mine.exe 3292 MicrosoftApi.exe 1884 MicrosoftApi.exe -
Drops file in Windows directory 50 IoCs
Processes:
mmc.exedescription ioc process File created C:\Windows\INF\c_scmvolume.PNF mmc.exe File created C:\Windows\INF\c_fscontinuousbackup.PNF mmc.exe File created C:\Windows\INF\c_fsantivirus.PNF mmc.exe File created C:\Windows\INF\c_fshsm.PNF mmc.exe File created C:\Windows\INF\c_firmware.PNF mmc.exe File created C:\Windows\INF\dc1-controller.PNF mmc.exe File created C:\Windows\INF\c_monitor.PNF mmc.exe File created C:\Windows\INF\c_volume.PNF mmc.exe File created C:\Windows\INF\c_barcodescanner.PNF mmc.exe File created C:\Windows\INF\c_holographic.PNF mmc.exe File created C:\Windows\INF\xusb22.PNF mmc.exe File created C:\Windows\INF\c_fsinfrastructure.PNF mmc.exe File created C:\Windows\INF\remoteposdrv.PNF mmc.exe File created C:\Windows\INF\c_mcx.PNF mmc.exe File created C:\Windows\INF\rawsilo.PNF mmc.exe File created C:\Windows\INF\c_fssecurityenhancer.PNF mmc.exe File created C:\Windows\INF\c_extension.PNF mmc.exe File created C:\Windows\INF\c_scmdisk.PNF mmc.exe File created C:\Windows\INF\oposdrv.PNF mmc.exe File created C:\Windows\INF\c_fsencryption.PNF mmc.exe File created C:\Windows\INF\c_fscfsmetadataserver.PNF mmc.exe File created C:\Windows\INF\c_fsvirtualization.PNF mmc.exe File created C:\Windows\INF\c_swcomponent.PNF mmc.exe File created C:\Windows\INF\c_fssystem.PNF mmc.exe File created C:\Windows\INF\c_fsquotamgmt.PNF mmc.exe File created C:\Windows\INF\c_fscopyprotection.PNF mmc.exe File created C:\Windows\INF\ramdisk.PNF mmc.exe File created C:\Windows\INF\digitalmediadevice.PNF mmc.exe File created C:\Windows\INF\c_linedisplay.PNF mmc.exe File created C:\Windows\INF\c_proximity.PNF mmc.exe File created C:\Windows\INF\c_fsphysicalquotamgmt.PNF mmc.exe File created C:\Windows\INF\c_cashdrawer.PNF mmc.exe File created C:\Windows\INF\c_netdriver.PNF mmc.exe File created C:\Windows\INF\c_fscompression.PNF mmc.exe File created C:\Windows\INF\c_fsundelete.PNF mmc.exe File created C:\Windows\INF\c_magneticstripereader.PNF mmc.exe File created C:\Windows\INF\c_diskdrive.PNF mmc.exe File created C:\Windows\INF\c_apo.PNF mmc.exe File created C:\Windows\INF\c_fsactivitymonitor.PNF mmc.exe File created C:\Windows\INF\wsdprint.PNF mmc.exe File created C:\Windows\INF\c_fsopenfilebackup.PNF mmc.exe File created C:\Windows\INF\c_fscontentscreener.PNF mmc.exe File created C:\Windows\INF\c_fsreplication.PNF mmc.exe File created C:\Windows\INF\c_processor.PNF mmc.exe File created C:\Windows\INF\PerceptionSimulationSixDof.PNF mmc.exe File created C:\Windows\INF\ts_generic.PNF mmc.exe File created C:\Windows\INF\c_receiptprinter.PNF mmc.exe File created C:\Windows\INF\miradisp.PNF mmc.exe File created C:\Windows\INF\c_sslaccel.PNF mmc.exe File created C:\Windows\INF\c_fssystemrecovery.PNF mmc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 11 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exemmc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEtaskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 2620 timeout.exe 3004 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Modifies registry class 1 IoCs
Processes:
control.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings control.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1576 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exetaskmgr.exeMicrosoftApi.exeScreanDriver.exepid process 1008 powershell.exe 1008 powershell.exe 1008 powershell.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 1884 MicrosoftApi.exe 1884 MicrosoftApi.exe 1696 ScreanDriver.exe 1696 ScreanDriver.exe 1696 ScreanDriver.exe 1696 ScreanDriver.exe 1696 ScreanDriver.exe 1696 ScreanDriver.exe 1696 ScreanDriver.exe 1696 ScreanDriver.exe 1696 ScreanDriver.exe 1696 ScreanDriver.exe 1696 ScreanDriver.exe 1696 ScreanDriver.exe 1696 ScreanDriver.exe 1696 ScreanDriver.exe 1696 ScreanDriver.exe 1696 ScreanDriver.exe 1696 ScreanDriver.exe 1696 ScreanDriver.exe 1696 ScreanDriver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
mmc.exepid process 3808 mmc.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
Processes:
powershell.exetaskmgr.execontrol.exemmc.exeMicrosoftApi.exeScreanDriver.exeScreanDriver.exeScreanDriver.exeScreanDriver.exedescription pid process Token: SeDebugPrivilege 1008 powershell.exe Token: SeIncreaseQuotaPrivilege 1008 powershell.exe Token: SeSecurityPrivilege 1008 powershell.exe Token: SeTakeOwnershipPrivilege 1008 powershell.exe Token: SeLoadDriverPrivilege 1008 powershell.exe Token: SeSystemProfilePrivilege 1008 powershell.exe Token: SeSystemtimePrivilege 1008 powershell.exe Token: SeProfSingleProcessPrivilege 1008 powershell.exe Token: SeIncBasePriorityPrivilege 1008 powershell.exe Token: SeCreatePagefilePrivilege 1008 powershell.exe Token: SeBackupPrivilege 1008 powershell.exe Token: SeRestorePrivilege 1008 powershell.exe Token: SeShutdownPrivilege 1008 powershell.exe Token: SeDebugPrivilege 1008 powershell.exe Token: SeSystemEnvironmentPrivilege 1008 powershell.exe Token: SeRemoteShutdownPrivilege 1008 powershell.exe Token: SeUndockPrivilege 1008 powershell.exe Token: SeManageVolumePrivilege 1008 powershell.exe Token: 33 1008 powershell.exe Token: 34 1008 powershell.exe Token: 35 1008 powershell.exe Token: 36 1008 powershell.exe Token: SeDebugPrivilege 3948 taskmgr.exe Token: SeSystemProfilePrivilege 3948 taskmgr.exe Token: SeCreateGlobalPrivilege 3948 taskmgr.exe Token: SeShutdownPrivilege 3700 control.exe Token: SeCreatePagefilePrivilege 3700 control.exe Token: 33 3808 mmc.exe Token: SeIncBasePriorityPrivilege 3808 mmc.exe Token: 33 3808 mmc.exe Token: SeIncBasePriorityPrivilege 3808 mmc.exe Token: 33 3948 taskmgr.exe Token: SeIncBasePriorityPrivilege 3948 taskmgr.exe Token: SeDebugPrivilege 1884 MicrosoftApi.exe Token: SeDebugPrivilege 1696 ScreanDriver.exe Token: SeDebugPrivilege 2156 ScreanDriver.exe Token: SeDebugPrivilege 1940 ScreanDriver.exe Token: SeDebugPrivilege 480 ScreanDriver.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exemmc.exepid process 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3808 mmc.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe 3948 taskmgr.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
EXCEL.EXEmmc.exepid process 1576 EXCEL.EXE 1576 EXCEL.EXE 1576 EXCEL.EXE 1576 EXCEL.EXE 1576 EXCEL.EXE 1576 EXCEL.EXE 1576 EXCEL.EXE 1576 EXCEL.EXE 1576 EXCEL.EXE 3808 mmc.exe 3808 mmc.exe 3808 mmc.exe 1576 EXCEL.EXE 1576 EXCEL.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
mine.exeMicrosoftApi.execmd.execmd.execontrol.exeMicrosoftApi.exedescription pid process target process PID 4060 wrote to memory of 3292 4060 mine.exe MicrosoftApi.exe PID 4060 wrote to memory of 3292 4060 mine.exe MicrosoftApi.exe PID 3292 wrote to memory of 1120 3292 MicrosoftApi.exe cmd.exe PID 3292 wrote to memory of 1120 3292 MicrosoftApi.exe cmd.exe PID 3292 wrote to memory of 1272 3292 MicrosoftApi.exe cmd.exe PID 3292 wrote to memory of 1272 3292 MicrosoftApi.exe cmd.exe PID 1272 wrote to memory of 3004 1272 cmd.exe timeout.exe PID 1120 wrote to memory of 2620 1120 cmd.exe timeout.exe PID 1272 wrote to memory of 3004 1272 cmd.exe timeout.exe PID 1120 wrote to memory of 2620 1120 cmd.exe timeout.exe PID 1120 wrote to memory of 1008 1120 cmd.exe powershell.exe PID 1120 wrote to memory of 1008 1120 cmd.exe powershell.exe PID 1272 wrote to memory of 1304 1272 cmd.exe schtasks.exe PID 1272 wrote to memory of 1304 1272 cmd.exe schtasks.exe PID 3700 wrote to memory of 3808 3700 control.exe mmc.exe PID 3700 wrote to memory of 3808 3700 control.exe mmc.exe PID 1884 wrote to memory of 1696 1884 MicrosoftApi.exe ScreanDriver.exe PID 1884 wrote to memory of 1696 1884 MicrosoftApi.exe ScreanDriver.exe PID 1884 wrote to memory of 2156 1884 MicrosoftApi.exe ScreanDriver.exe PID 1884 wrote to memory of 2156 1884 MicrosoftApi.exe ScreanDriver.exe PID 1884 wrote to memory of 1940 1884 MicrosoftApi.exe ScreanDriver.exe PID 1884 wrote to memory of 1940 1884 MicrosoftApi.exe ScreanDriver.exe PID 1884 wrote to memory of 480 1884 MicrosoftApi.exe ScreanDriver.exe PID 1884 wrote to memory of 480 1884 MicrosoftApi.exe ScreanDriver.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mine.exe"C:\Users\Admin\AppData\Local\Temp\mine.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe"C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBEC2.tmp.cmd""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 44⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBEC3.tmp.cmd""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 44⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /f /sc MINUTE /mo 1 /tn "MicrosoftApi" /tr "'C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe"'4⤵
- Creates scheduled task(s)
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "C:\Users\Admin\Desktop\ImportTrace.xltm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" /name Microsoft.DeviceManager1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exeC:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exe"C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exe"C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exe"C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exe"C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MicrosoftApi.exe.logMD5
91da0e0d6c73120560eafe3fb0a762fa
SHA1450b05f8ca5afb737da4312cf7d1603e695ec136
SHA256bbb62e473ac1b24a55b9fca67848cebc87764d47a6bf60f51d85ed6de28575d1
SHA51205fb7457b58d099581121c9afc361543a5d2d4b3444994be5cf6a36b3010a76a13310698f77452e2921dc6d1ac511240d95588030a5983eaee7899b625f4e11a
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ScreanDriver.exe.logMD5
b0fa3a2c527d3e19302605f3f326855b
SHA13b5e7bf9d44a1280da080ec1565b7ed466a620ae
SHA256836183e565e09910a755b9477c674e9b6bd8b9ec8cd4b6dc70ffaf6aed6a3402
SHA5127b42119fe44567d21060bba50f202c0dba100d753073fa7123b28160b70a8f62c745af5146f0f1bc3e877470445b2a91fd262ea737561cbb69649a23e3462252
-
C:\Users\Admin\AppData\Local\Temp\tmpBEC2.tmp.cmdMD5
3c5113ab1b42946ffdc89349b2c6d209
SHA16898e37d08571dc49af526f5be014f59f5f51988
SHA25632b16e36907b4fc7b1c790f128288324cc28d4ed5e6bd2835ad8101d9d8a9dee
SHA512a133ad3cfc408a9b90e03a777627cc4c3faa1773f3ba8fe8afc688eefa9ee911f01fd3eac239fd4a2338eb53c509883c399df9b94ec8058f4df6feb700348405
-
C:\Users\Admin\AppData\Local\Temp\tmpBEC3.tmp.cmdMD5
d01ed91c2a99548628d82f6c86064252
SHA1f0daf48fc3f84e6e6b80020e58138daf203e38a5
SHA2561c145762349dfd3d710f2b80c833c6e0f4ea14f0891fa64d0bddbe3e7dfb83dd
SHA5122553e27e4d7ca42d50398c970d104db99f8004838afb8dbab5b8a70e7c220cc630db3a4e1b5a58d5a652ba82f3252d5de53f07e1ba6d4a2c2a66ffd958e76db8
-
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ICSharpCode.SharpZipLib.dllMD5
5a5ab6c6bf9a23d07bc72cc19c37a432
SHA112fd67b780088a9d95eecd06c59658447e42f65c
SHA25685ff339d1e0b853b0f544530fb022a30254f398d8cecfcdfa9e3c0310c3f4791
SHA51216f5d6af94daa0833d4a95fcf261273f7610a6aaba01b775a358bee6c4ff25d90ad93abfcaf917256038d0abd272502c10e4e8933a062d456db3db077a7221bd
-
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exeMD5
09d83c47610228fcfa9ac97cddd492fe
SHA1fc63d772dfbf7cde2323f39fadcafbae86894c6a
SHA2563d6a3c3b0bfcd73cb4a07aabfdc5a915b7bc38c835cf5d87b724bc5aa7704653
SHA5122b6e85774a56c58e5ce133406924e38d6b4de8fffd5a46b27813cf738b69a28c877f440a863217fa6983813353a54798b608b1db1f95375ddf4a19e82be2a940
-
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\MicrosoftApi.exeMD5
09d83c47610228fcfa9ac97cddd492fe
SHA1fc63d772dfbf7cde2323f39fadcafbae86894c6a
SHA2563d6a3c3b0bfcd73cb4a07aabfdc5a915b7bc38c835cf5d87b724bc5aa7704653
SHA5122b6e85774a56c58e5ce133406924e38d6b4de8fffd5a46b27813cf738b69a28c877f440a863217fa6983813353a54798b608b1db1f95375ddf4a19e82be2a940
-
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exeMD5
7d5dce7315ef85297c70b1cc5dfe90fc
SHA1cd782852ecb85cbc4355003e265d5caa7003da20
SHA2564c2d0c1ffd5db4f4f6027f801dee59a0c38cc9cfb55ae60280a7e4aad2b5e370
SHA512aba0deb7ffd417772329489092752f6ad72edf003186baf4eabdbf30b6202c1e13d290a1bc63c9696d7fb5790e0afb250caa4ed840b158d31721e3497662550f
-
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exeMD5
7d5dce7315ef85297c70b1cc5dfe90fc
SHA1cd782852ecb85cbc4355003e265d5caa7003da20
SHA2564c2d0c1ffd5db4f4f6027f801dee59a0c38cc9cfb55ae60280a7e4aad2b5e370
SHA512aba0deb7ffd417772329489092752f6ad72edf003186baf4eabdbf30b6202c1e13d290a1bc63c9696d7fb5790e0afb250caa4ed840b158d31721e3497662550f
-
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exeMD5
7d5dce7315ef85297c70b1cc5dfe90fc
SHA1cd782852ecb85cbc4355003e265d5caa7003da20
SHA2564c2d0c1ffd5db4f4f6027f801dee59a0c38cc9cfb55ae60280a7e4aad2b5e370
SHA512aba0deb7ffd417772329489092752f6ad72edf003186baf4eabdbf30b6202c1e13d290a1bc63c9696d7fb5790e0afb250caa4ed840b158d31721e3497662550f
-
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exeMD5
7d5dce7315ef85297c70b1cc5dfe90fc
SHA1cd782852ecb85cbc4355003e265d5caa7003da20
SHA2564c2d0c1ffd5db4f4f6027f801dee59a0c38cc9cfb55ae60280a7e4aad2b5e370
SHA512aba0deb7ffd417772329489092752f6ad72edf003186baf4eabdbf30b6202c1e13d290a1bc63c9696d7fb5790e0afb250caa4ed840b158d31721e3497662550f
-
C:\Users\Admin\AppData\Roaming\ServiceMicrosoftApi\ScreanDriver.exeMD5
7d5dce7315ef85297c70b1cc5dfe90fc
SHA1cd782852ecb85cbc4355003e265d5caa7003da20
SHA2564c2d0c1ffd5db4f4f6027f801dee59a0c38cc9cfb55ae60280a7e4aad2b5e370
SHA512aba0deb7ffd417772329489092752f6ad72edf003186baf4eabdbf30b6202c1e13d290a1bc63c9696d7fb5790e0afb250caa4ed840b158d31721e3497662550f
-
\??\c:\users\admin\appdata\roaming\servicemicrosoftapi\microsoftapi.exeMD5
09d83c47610228fcfa9ac97cddd492fe
SHA1fc63d772dfbf7cde2323f39fadcafbae86894c6a
SHA2563d6a3c3b0bfcd73cb4a07aabfdc5a915b7bc38c835cf5d87b724bc5aa7704653
SHA5122b6e85774a56c58e5ce133406924e38d6b4de8fffd5a46b27813cf738b69a28c877f440a863217fa6983813353a54798b608b1db1f95375ddf4a19e82be2a940
-
memory/480-366-0x0000000000000000-mapping.dmp
-
memory/480-371-0x000001EE75122000-0x000001EE75124000-memory.dmpFilesize
8KB
-
memory/480-370-0x000001EE75120000-0x000001EE75122000-memory.dmpFilesize
8KB
-
memory/1008-142-0x000001CF6A150000-0x000001CF6A152000-memory.dmpFilesize
8KB
-
memory/1008-143-0x000001CF6A153000-0x000001CF6A155000-memory.dmpFilesize
8KB
-
memory/1008-144-0x000001CF6ADF0000-0x000001CF6ADF1000-memory.dmpFilesize
4KB
-
memory/1008-167-0x000001CF6A156000-0x000001CF6A158000-memory.dmpFilesize
8KB
-
memory/1008-171-0x000001CF6A158000-0x000001CF6A159000-memory.dmpFilesize
4KB
-
memory/1008-138-0x000001CF6A120000-0x000001CF6A121000-memory.dmpFilesize
4KB
-
memory/1008-132-0x0000000000000000-mapping.dmp
-
memory/1120-126-0x0000000000000000-mapping.dmp
-
memory/1272-127-0x0000000000000000-mapping.dmp
-
memory/1304-133-0x0000000000000000-mapping.dmp
-
memory/1576-181-0x00007FF947920000-0x00007FF949815000-memory.dmpFilesize
31.0MB
-
memory/1576-180-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmpFilesize
64KB
-
memory/1576-179-0x00007FF94B6E0000-0x00007FF94C7CE000-memory.dmpFilesize
16.9MB
-
memory/1576-352-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmpFilesize
64KB
-
memory/1576-176-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmpFilesize
64KB
-
memory/1576-351-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmpFilesize
64KB
-
memory/1576-175-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmpFilesize
64KB
-
memory/1576-174-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmpFilesize
64KB
-
memory/1576-350-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmpFilesize
64KB
-
memory/1576-173-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmpFilesize
64KB
-
memory/1576-349-0x00007FF92CFA0000-0x00007FF92CFB0000-memory.dmpFilesize
64KB
-
memory/1576-172-0x00007FF7D74D0000-0x00007FF7DAA86000-memory.dmpFilesize
53.7MB
-
memory/1696-338-0x000001C244B54000-0x000001C244B56000-memory.dmpFilesize
8KB
-
memory/1696-331-0x0000000000000000-mapping.dmp
-
memory/1696-334-0x000001C2447B0000-0x000001C2447B1000-memory.dmpFilesize
4KB
-
memory/1696-337-0x000001C244B52000-0x000001C244B54000-memory.dmpFilesize
8KB
-
memory/1696-336-0x000001C244B50000-0x000001C244B52000-memory.dmpFilesize
8KB
-
memory/1884-328-0x00000277BB450000-0x00000277BB452000-memory.dmpFilesize
8KB
-
memory/1884-330-0x00000277A2960000-0x00000277A2961000-memory.dmpFilesize
4KB
-
memory/1940-364-0x000002DCC88B0000-0x000002DCC88B2000-memory.dmpFilesize
8KB
-
memory/1940-365-0x000002DCC88B2000-0x000002DCC88B4000-memory.dmpFilesize
8KB
-
memory/1940-360-0x0000000000000000-mapping.dmp
-
memory/2156-358-0x0000029957440000-0x0000029957442000-memory.dmpFilesize
8KB
-
memory/2156-353-0x0000000000000000-mapping.dmp
-
memory/2156-359-0x0000029957442000-0x0000029957444000-memory.dmpFilesize
8KB
-
memory/2620-131-0x0000000000000000-mapping.dmp
-
memory/3004-130-0x0000000000000000-mapping.dmp
-
memory/3292-124-0x00007FF900000000-0x00007FF900002000-memory.dmpFilesize
8KB
-
memory/3292-125-0x00007FF900030000-0x00007FF900031000-memory.dmpFilesize
4KB
-
memory/3292-122-0x00007FF765CA0000-0x00007FF765CA1000-memory.dmpFilesize
4KB
-
memory/3292-119-0x0000000000000000-mapping.dmp
-
memory/3808-322-0x0000000000000000-mapping.dmp
-
memory/4060-115-0x00007FF900030000-0x00007FF900031000-memory.dmpFilesize
4KB
-
memory/4060-117-0x00007FF68FC70000-0x00007FF68FC71000-memory.dmpFilesize
4KB
-
memory/4060-114-0x00007FF900000000-0x00007FF900002000-memory.dmpFilesize
8KB