xmrig | 6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8

General

Target

6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
Size

24.8MB
MD5

a69f2a147f7e89dd42380ffb84e30220
SHA1

1ffe6cd533ec527dbdbd85c057fa8acfbc92d432
SHA256

6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8
SHA512

fc2685d5f28c8a19bab6b5a92c63f1e5115c4525710685aef80b780d5d377cac81cd0b0ef704a6a2c293e252dc9a82b155fb65a5518555fc7c230bc57114ba1b

Score

10^/10

xmrig evasion miner persistence spyware stealer trojan

Malware Config

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 1 IoCs

miner

Processes:

resource	yara_rule
C:\Windows\svchost.exe	xmrig

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

952 svchost.exe
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
952	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe"	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe

Drops file in System32 directory 1 IoCs

Processes:

6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe

description ioc process

File created C:\Windows\SysWOW64\regedit.exe 6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe

description	ioc	process
File created	C:\Windows\SysWOW64\regedit.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe

Drops file in Program Files directory 64 IoCs

Processes:

6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Media Player\wmlaunch.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Program Files (x86)\Windows Media Player\WMPDMC.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Program Files\Windows Media Player\WMPDMC.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Program Files\Windows Mail\WinMail.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Program Files\Windows Media Player\wmpnetwk.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Program Files\DVD Maker\DVDMaker.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files\Java\jre7\bin\tnameserv.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Program Files (x86)\Windows Media Player\wmprph.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Program Files\Internet Explorer\ieinstal.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files\Java\jre7\bin\unpack200.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler64.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Program Files\Windows Media Player\wmprph.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe

Drops file in Windows directory 53 IoCs

Processes:

6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe

description	ioc	process
File created	C:\Windows\twunk_16.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\1bc1ee3c3aa45d28dcf4657bceb2fcb4\SMSvcHost.ni.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Windows\splwow64.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Windows\fveupdate.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\MSBuild\af28543d9b3e7d9f110448ecce53cd72\MSBuild.ni.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Windows\config.json	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Windows\twunk_32.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\ComSvcConfig\5f1a06c0108b2c81cde1dc491d74043d\ComSvcConfig.ni.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\b3ade8d5c0d4bb5d4940bcafd3453642\PresentationFontCache.ni.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\LoadMxf\d09b54cd68bc772b3be3832926e940d4\LoadMxf.ni.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Windows\winhlp32.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\dfsvc\2c3e7fda8de40e45e7f5e004094dc7c9\dfsvc.ni.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Windows\HelpPane.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\dfsvc\9bc0d921859b039d6e9f642148333949\dfsvc.ni.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Narrator\4cc02fad33053737088d4c18267ca0a0\Narrator.ni.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\2bd538d545e15452202ef3b41080e2ce\ComSvcConfig.ni.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\dfsvc\261c09179eae03d67c9b6f3e70b603bd\dfsvc.ni.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\WsatConfig\36ca2928b2191011831ab673861c6ac6\WsatConfig.ni.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\MSBuild\b93c627ec2e15c2675bcc81edafb10be\MSBuild.ni.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Windows\svchost.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig\537950d9c71af966e1d8c9deb550f842\WsatConfig.ni.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig\9a69a26417a09c2d9d7f67bf7592bd74\ComSvcConfig.ni.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Windows\hh.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Windows\assembly\GAC_MSIL\loadmxf\6.1.0.0__31bf3856ad364e35\loadmxf.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Windows\assembly\GAC_MSIL\Narrator\6.1.0.0__31bf3856ad364e35\Narrator.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Windows\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\dfsvc\bb4a1994db088e84b9d383271b082250\dfsvc.ni.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Windows\assembly\GAC_MSIL\ComSvcConfig\3.0.0.0__b03f5f7f11d50a3a\ComSvcConfig.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Windows\svchost.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\ehexthost32.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\PresentationFontCac#\0246845f487e5f33d3564eff578665a3\PresentationFontCache.ni.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Windows\assembly\GAC_MSIL\ehexthost\6.1.0.0__31bf3856ad364e35\ehexthost.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Narrator\0bae62c3fc6c327ed24989263988173d\Narrator.ni.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W71daf281#\df459c0a2762c33e0699703f186b1751\Microsoft.Workflow.Compiler.ni.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost\e88db1688b08fbb889b0b9d4b1a51493\SMSvcHost.ni.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Windows\assembly\GAC_64\mcupdate\6.1.0.0__31bf3856ad364e35\mcupdate.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehExtHost\ad37b6e3a1cb1081592f1c5797ae9dad\ehExtHost.ni.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Windows\notepad.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\ehExtHost32\c899de3549784161aa66610d5735e4f0\ehExtHost32.ni.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\96a8bdafba9f9d3e33cd974bfaa67e58\WsatConfig.ni.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Windows\config.json	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Windows\explorer.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\SMSvcHost.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\mcupdate\f30beba36940b5a2b55a32ea7f42d694\mcupdate.ni.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Windows\write.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\ComSvcConfig\d632b7434f821829827657e23ac98589\ComSvcConfig.ni.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\MSBuild\1a154709cdfe214029ea88c51ab2b579\MSBuild.ni.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\SMSvcHost\04d794428d635f6a82ac57dd3d6f3628\SMSvcHost.ni.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
File created	C:\Windows\bfsvc.exe	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1276	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
Token: 33	1276	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
Token: SeIncBasePriorityPrivilege	1276	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
Token: SeIncBasePriorityPrivilege	952	svchost.exe
Token: SeLockMemoryPrivilege	952	svchost.exe
Token: SeLockMemoryPrivilege	952	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe

pid process

1276 6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe

pid	process
1276	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe

description	pid	process	target process
PID 1276 wrote to memory of 952	1276	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe	svchost.exe
PID 1276 wrote to memory of 952	1276	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe	svchost.exe
PID 1276 wrote to memory of 952	1276	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe	svchost.exe
PID 1276 wrote to memory of 952	1276	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe	svchost.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe

C:\Users\Admin\AppData\Local\Temp\6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe
"C:\Users\Admin\AppData\Local\Temp\6b7359e733d8e32a8844dccf6d9a910c87a0cc45dbdcd00e66aedf116b5d23a8.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1276

C:\Windows\svchost.exe
"C:\Windows\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:952

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

4

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\config.json
Filesize
1KB

MD5
88c5c5706d2e237422eda18490dc6a59

SHA1
bb8d12375f6b995301e756de2ef4fa3a3f6efd39

SHA256
4756a234ed3d61fe187d9b6140792e54e7b757545edff82df594a507e528ed8e

SHA512
a417270a0d46de5bb06a621c0383c893042a506524713f89ba55567df6e5c3ac8b198bce5a0300ec6e716897bb53fd3e8289a51240157dc743004517673d4ab7

Download Submit
C:\Windows\svchost.exe
Filesize
833KB

MD5
4a87a4d6677558706db4afaeeeb58d20

SHA1
7738dc6a459f8415f0265d36c626b48202cd6764

SHA256
08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7

SHA512
bedd8ed4975df3fcd4a0f575d6f38e3841e7a4b771baac4f72033102a070818b8539eb101c50563d89d4f3454899a1cedb33047b02e421256dedf9aaf258b594

Download Submit
memory/952-55-0x0000000000000000-mapping.dmp

Download
memory/1276-54-0x00000000756E1000-0x00000000756E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads