xmrig | 03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899

General

Target

03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
Size

9.6MB
MD5

a8006eceae1ca2135e9fcb792bac7789
SHA1

049a4566d0438781fc59db70811de54b61c23b9f
SHA256

03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899
SHA512

5a260c8475f11c11346d31d13a708e062f07ed694bb75bf2e866adabaadd56b6d18321963c1fa2b30e3348bdafcd651a9be31ace74ff199c2c5624df6a4c5ba6

Score

10^/10

xmrig evasion miner persistence spyware stealer trojan

Malware Config

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 1 IoCs

miner

Processes:

resource	yara_rule
C:\Windows\svchost.exe	xmrig

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

3328 svchost.exe
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
3328	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe"	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe

Drops file in System32 directory 64 IoCs

Processes:

03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe

description	ioc	process
File created	C:\Windows\SysWOW64\GamePanel.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\msra.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\netiougc.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\SpatialAudioLicenseSrv.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\TsWpfWrp.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\CertEnrollCtrl.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\getmac.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\control.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\hh.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\mstsc.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\rasautou.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\svchost.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\SndVol.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\SystemPropertiesProtection.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\Taskmgr.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\certreq.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\diskpart.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\fontview.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\mshta.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\mspaint.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\TpmInit.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\regedit.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\cttunesvr.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\recover.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\PkgMgr.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\relog.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\rundll32.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\LaunchWinApp.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\lodctr.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\SystemPropertiesComputerName.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\cmstp.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\cscript.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\cttune.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\DWWIN.EXE	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\ftp.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\dplaysvr.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\gpscript.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\notepad.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\RdpSa.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\schtasks.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\systeminfo.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\systray.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\tasklist.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\SystemPropertiesRemote.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\resmon.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\Robocopy.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\setx.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\CredentialUIBroker.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\fsutil.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\odbcad32.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\perfmon.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\reg.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\unlodctr.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\dtdump.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\hdwwiz.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\InfDefaultInstall.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\Netplwiz.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\rrinstaller.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\regsvr32.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\timeout.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\typeperf.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\autoconv.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\CameraSettingsUIHost.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\SysWOW64\cliconfg.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe

Drops file in Program Files directory 64 IoCs

Processes:

03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateBroker.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmadminicon.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Program Files\Internet Explorer\ExtExport.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msotd.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\XboxIdp.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteim.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\StoreExperienceHost.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\xlicons.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Program Files (x86)\Windows Media Player\setup_wm.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Program Files (x86)\Windows Media Player\wmpshare.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.MicrosoftSolitaireCollection.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Program Files\Windows Media Player\wmplayer.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstaller.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler64.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.157.61\MicrosoftEdgeUpdateBroker.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe

Drops file in Windows directory 64 IoCs

Processes:

03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Ldr64.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\winhlp32.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMConfigInstaller.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File opened for modification	C:\Windows\svchost.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WsatConfig\v4.0_4.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework\NETFXSBS10.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\eula.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_wp.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\MSBuild.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\dfsvc\v4.0_4.0.0.0__b03f5f7f11d50a3a\dfsvc.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\WPF\XamlViewer\XamlViewer_v0300.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\WFServicesReg.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\servicing\TrustedInstaller.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\acrotextextractor.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMConfigInstaller.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\reader_sl.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Workflow.Compiler\v4.0_4.0.0.0__31bf3856ad364e35\Microsoft.Workflow.Compiler.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\EdmGen.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\vbc.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\hh.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\wow_helper.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\aspnet_regbrowsers.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\bfsvc.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\assembly\GAC_MSIL\WsatConfig\3.0.0.0__b03f5f7f11d50a3a\WsatConfig.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32Info.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\MSBuild.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1664	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
Token: 33	1664	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
Token: SeIncBasePriorityPrivilege	1664	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
Token: SeIncBasePriorityPrivilege	3328	svchost.exe
Token: SeLockMemoryPrivilege	3328	svchost.exe
Token: SeLockMemoryPrivilege	3328	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe

pid process

1664 03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe

pid	process
1664	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe

description	pid	process	target process
PID 1664 wrote to memory of 3328	1664	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe	svchost.exe
PID 1664 wrote to memory of 3328	1664	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe	svchost.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe

C:\Users\Admin\AppData\Local\Temp\03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe
"C:\Users\Admin\AppData\Local\Temp\03f478cc3ba5a79563057c43ad001dfa70d9d674e1619bde66714b68e34f6899.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1664

C:\Windows\svchost.exe
"C:\Windows\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

4

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\config.json
Filesize
1KB

MD5
88c5c5706d2e237422eda18490dc6a59

SHA1
bb8d12375f6b995301e756de2ef4fa3a3f6efd39

SHA256
4756a234ed3d61fe187d9b6140792e54e7b757545edff82df594a507e528ed8e

SHA512
a417270a0d46de5bb06a621c0383c893042a506524713f89ba55567df6e5c3ac8b198bce5a0300ec6e716897bb53fd3e8289a51240157dc743004517673d4ab7

Download Submit
C:\Windows\svchost.exe
Filesize
833KB

MD5
4a87a4d6677558706db4afaeeeb58d20

SHA1
7738dc6a459f8415f0265d36c626b48202cd6764

SHA256
08b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7

SHA512
bedd8ed4975df3fcd4a0f575d6f38e3841e7a4b771baac4f72033102a070818b8539eb101c50563d89d4f3454899a1cedb33047b02e421256dedf9aaf258b594

Download Submit
memory/3328-130-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads