phorphiex | e0ac6b5de69220016ae30e12a499cd7e0002ab66942203376a0bb97b1790ad70

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-02-2023 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

75KB
MD5

17eb719f9e19aefae9114aa922681e7f
SHA1

a2165a6d3ff4dee62215bd489bbcc0aaa498e70a
SHA256

e0ac6b5de69220016ae30e12a499cd7e0002ab66942203376a0bb97b1790ad70
SHA512

77e7663c0b2cccf1f357c3f75cae22b0c8e207d482f8e5237f3d81844266d4f49d10574abbb6531ab20b417ed19a4d4991214933362a004413ccbe8a41f194de
SSDEEP

1536:gY3Mz8y5D0FLcNU33CxcuxrMhenfFzeeeeeeeeeeeeeeeeeeeWeeeee:MwLFLQs3vuxrPnfF

Score

10^/10

phorphiex xmrig evasion loader miner persistence trojan upx worm

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

Wallets

1Gpu5QiBqsquu71AGqHwb4Y68iwnkdGH1k

3PPJU1omRSTwxDbbfVyxh9Mm8WkiMGZviMh

37AcEVDyoPyUJUKNM3mM1UxNNvKgN6Abn5

qqlt9zzv020vtlswk5v6e90nv7hsuqz0nggp4rj5t0

Xj6orHUgmtZtPb2wGSTX2reQZJ89ZeeYYG

DRyZQqRX998DYdf7zGdTCShGcRBbxjUAbF

0x25229D09B0048F23e60c010C8eE1ae65C727e973

LhoapQ1TFjG2Fvbwn5WbM2wYcwisKRVz7x

r3j2xjQLmVa6Cg3cHZLqLNVja1x6g1AtNL

TVTrpva4J2g8SENebPar4YnfnCqwUeiX4a

t1MrdY4n3DBL3uip5Pq6tqx4doYpihJJG68

AXUqtUXyQmU8buqL5ehCLuLLHhhFrREXuw

bitcoincash:qqlt9zzv020vtlswk5v6e90nv7hsuqz0nggp4rj5t0

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

GDX4NDGHA5WKQLOI65PKPZRHSN6ZAUBRHA7BL44O5IOVMMZFZISMHTUD

bnb1zm5y3pns0ertprnvdyulz63tenlp9kc4m78v0m

bc1qdk0fquc7ug2zn7zpdyx4kasdy34t00c5r2xdup

Signatures

Phorphiex
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

Processes:

1732610702.exewinsvrupd.exe

description	pid	process	target process
PID 1540 created 1220	1540	1732610702.exe	Explorer.EXE
PID 1540 created 1220	1540	1732610702.exe	Explorer.EXE
PID 1500 created 1220	1500	winsvrupd.exe	Explorer.EXE
PID 1500 created 1220	1500	winsvrupd.exe	Explorer.EXE
PID 1500 created 1220	1500	winsvrupd.exe	Explorer.EXE

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

sysagrsv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysagrsv.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1288-100-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1288-103-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow pid process

35 1288 cmd.exe
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

sysagrsv.exe146403918.exe2696522296.exe1732610702.exewinsvrupd.exe

pid process

1284 sysagrsv.exe
968 146403918.exe
560 2696522296.exe
1540 1732610702.exe
1500 winsvrupd.exe
Loads dropped DLL 5 IoCs

Processes:

sysagrsv.exe146403918.exetaskeng.exe

pid process

1284 sysagrsv.exe
1284 sysagrsv.exe
1284 sysagrsv.exe
968 146403918.exe
520 taskeng.exe

flow	pid	process
35	1288	cmd.exe

pid	process
1284	sysagrsv.exe
968	146403918.exe
560	2696522296.exe
1540	1732610702.exe
1500	winsvrupd.exe

pid	process
1284	sysagrsv.exe
1284	sysagrsv.exe
1284	sysagrsv.exe
968	146403918.exe
520	taskeng.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1288-100-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1288-103-0x0000000140000000-0x00000001407F4000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

sysagrsv.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysagrsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysagrsv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysagrsv.exe"	tmp.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

winsvrupd.exe

description pid process target process

PID 1500 set thread context of 1288 1500 winsvrupd.exe cmd.exe
Drops file in Windows directory 2 IoCs

Processes:

tmp.exe

description ioc process

File created C:\Windows\sysagrsv.exe tmp.exe
File opened for modification C:\Windows\sysagrsv.exe tmp.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1964 schtasks.exe
1300 schtasks.exe

description	pid	process	target process
PID 1500 set thread context of 1288	1500	winsvrupd.exe	cmd.exe

description	ioc	process
File created	C:\Windows\sysagrsv.exe	tmp.exe
File opened for modification	C:\Windows\sysagrsv.exe	tmp.exe

pid	process
1964	schtasks.exe
1300	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

1732610702.exepowershell.exepowershell.exewinsvrupd.exepowershell.exe

pid	process
1540	1732610702.exe
1540	1732610702.exe
1128	powershell.exe
1540	1732610702.exe
1540	1732610702.exe
1712	powershell.exe
1500	winsvrupd.exe
1500	winsvrupd.exe
780	powershell.exe
1500	winsvrupd.exe
1500	winsvrupd.exe
1500	winsvrupd.exe
1500	winsvrupd.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464

pid	process
464

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

powershell.exepowershell.exepowershell.exeWMIC.execmd.exe

description	pid	process
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeIncreaseQuotaPrivilege	1368	WMIC.exe
Token: SeSecurityPrivilege	1368	WMIC.exe
Token: SeTakeOwnershipPrivilege	1368	WMIC.exe
Token: SeLoadDriverPrivilege	1368	WMIC.exe
Token: SeSystemProfilePrivilege	1368	WMIC.exe
Token: SeSystemtimePrivilege	1368	WMIC.exe
Token: SeProfSingleProcessPrivilege	1368	WMIC.exe
Token: SeIncBasePriorityPrivilege	1368	WMIC.exe
Token: SeCreatePagefilePrivilege	1368	WMIC.exe
Token: SeBackupPrivilege	1368	WMIC.exe
Token: SeRestorePrivilege	1368	WMIC.exe
Token: SeShutdownPrivilege	1368	WMIC.exe
Token: SeDebugPrivilege	1368	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1368	WMIC.exe
Token: SeRemoteShutdownPrivilege	1368	WMIC.exe
Token: SeUndockPrivilege	1368	WMIC.exe
Token: SeManageVolumePrivilege	1368	WMIC.exe
Token: 33	1368	WMIC.exe
Token: 34	1368	WMIC.exe
Token: 35	1368	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1368	WMIC.exe
Token: SeSecurityPrivilege	1368	WMIC.exe
Token: SeTakeOwnershipPrivilege	1368	WMIC.exe
Token: SeLoadDriverPrivilege	1368	WMIC.exe
Token: SeSystemProfilePrivilege	1368	WMIC.exe
Token: SeSystemtimePrivilege	1368	WMIC.exe
Token: SeProfSingleProcessPrivilege	1368	WMIC.exe
Token: SeIncBasePriorityPrivilege	1368	WMIC.exe
Token: SeCreatePagefilePrivilege	1368	WMIC.exe
Token: SeBackupPrivilege	1368	WMIC.exe
Token: SeRestorePrivilege	1368	WMIC.exe
Token: SeShutdownPrivilege	1368	WMIC.exe
Token: SeDebugPrivilege	1368	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1368	WMIC.exe
Token: SeRemoteShutdownPrivilege	1368	WMIC.exe
Token: SeUndockPrivilege	1368	WMIC.exe
Token: SeManageVolumePrivilege	1368	WMIC.exe
Token: 33	1368	WMIC.exe
Token: 34	1368	WMIC.exe
Token: 35	1368	WMIC.exe
Token: SeLockMemoryPrivilege	1288	cmd.exe
Token: SeLockMemoryPrivilege	1288	cmd.exe

Suspicious use of FindShellTrayWindow 18 IoCs

Processes:

cmd.exe

pid	process
1288	cmd.exe
1288	cmd.exe
1288	cmd.exe
1288	cmd.exe
1288	cmd.exe
1288	cmd.exe
1288	cmd.exe
1288	cmd.exe
1288	cmd.exe
1288	cmd.exe
1288	cmd.exe
1288	cmd.exe
1288	cmd.exe
1288	cmd.exe
1288	cmd.exe
1288	cmd.exe
1288	cmd.exe
1288	cmd.exe

Suspicious use of SendNotifyMessage 18 IoCs

Processes:

cmd.exe

pid	process
1288	cmd.exe
1288	cmd.exe
1288	cmd.exe
1288	cmd.exe
1288	cmd.exe
1288	cmd.exe
1288	cmd.exe
1288	cmd.exe
1288	cmd.exe
1288	cmd.exe
1288	cmd.exe
1288	cmd.exe
1288	cmd.exe
1288	cmd.exe
1288	cmd.exe
1288	cmd.exe
1288	cmd.exe
1288	cmd.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

tmp.exesysagrsv.exe146403918.exepowershell.exepowershell.exetaskeng.exepowershell.execmd.exewinsvrupd.exe

description	pid	process	target process
PID 1324 wrote to memory of 1284	1324	tmp.exe	sysagrsv.exe
PID 1324 wrote to memory of 1284	1324	tmp.exe	sysagrsv.exe
PID 1324 wrote to memory of 1284	1324	tmp.exe	sysagrsv.exe
PID 1324 wrote to memory of 1284	1324	tmp.exe	sysagrsv.exe
PID 1284 wrote to memory of 968	1284	sysagrsv.exe	146403918.exe
PID 1284 wrote to memory of 968	1284	sysagrsv.exe	146403918.exe
PID 1284 wrote to memory of 968	1284	sysagrsv.exe	146403918.exe
PID 1284 wrote to memory of 968	1284	sysagrsv.exe	146403918.exe
PID 1284 wrote to memory of 560	1284	sysagrsv.exe	2696522296.exe
PID 1284 wrote to memory of 560	1284	sysagrsv.exe	2696522296.exe
PID 1284 wrote to memory of 560	1284	sysagrsv.exe	2696522296.exe
PID 1284 wrote to memory of 560	1284	sysagrsv.exe	2696522296.exe
PID 968 wrote to memory of 1540	968	146403918.exe	1732610702.exe
PID 968 wrote to memory of 1540	968	146403918.exe	1732610702.exe
PID 968 wrote to memory of 1540	968	146403918.exe	1732610702.exe
PID 968 wrote to memory of 1540	968	146403918.exe	1732610702.exe
PID 1128 wrote to memory of 1964	1128	powershell.exe	schtasks.exe
PID 1128 wrote to memory of 1964	1128	powershell.exe	schtasks.exe
PID 1128 wrote to memory of 1964	1128	powershell.exe	schtasks.exe
PID 1712 wrote to memory of 1144	1712	powershell.exe	schtasks.exe
PID 1712 wrote to memory of 1144	1712	powershell.exe	schtasks.exe
PID 1712 wrote to memory of 1144	1712	powershell.exe	schtasks.exe
PID 520 wrote to memory of 1500	520	taskeng.exe	winsvrupd.exe
PID 520 wrote to memory of 1500	520	taskeng.exe	winsvrupd.exe
PID 520 wrote to memory of 1500	520	taskeng.exe	winsvrupd.exe
PID 780 wrote to memory of 1300	780	powershell.exe	schtasks.exe
PID 780 wrote to memory of 1300	780	powershell.exe	schtasks.exe
PID 780 wrote to memory of 1300	780	powershell.exe	schtasks.exe
PID 912 wrote to memory of 1368	912	cmd.exe	WMIC.exe
PID 912 wrote to memory of 1368	912	cmd.exe	WMIC.exe
PID 912 wrote to memory of 1368	912	cmd.exe	WMIC.exe
PID 1500 wrote to memory of 1288	1500	winsvrupd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\sysagrsv.exe
C:\Windows\sysagrsv.exe
3⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:1284

C:\Users\Admin\AppData\Local\Temp\146403918.exe
C:\Users\Admin\AppData\Local\Temp\146403918.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:968

C:\Users\Admin\AppData\Local\Temp\1732610702.exe
C:\Users\Admin\AppData\Local\Temp\1732610702.exe
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1540

C:\Users\Admin\AppData\Local\Temp\2696522296.exe
C:\Users\Admin\AppData\Local\Temp\2696522296.exe
4⤵
- Executes dropped EXE
PID:560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fwjcobfk#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachine' /tr '''C:\Users\Admin\Windows Security\Update\winsvrupd.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Security\Update\winsvrupd.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachine' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachine" /t REG_SZ /f /d 'C:\Users\Admin\Windows Security\Update\winsvrupd.exe' }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachine /tr "'C:\Users\Admin\Windows Security\Update\winsvrupd.exe'"
3⤵
- Creates scheduled task(s)
PID:1964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#boaqiqu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachine" } Else { "C:\Users\Admin\Windows Security\Update\winsvrupd.exe" }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachine
3⤵
PID:1144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fwjcobfk#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachine' /tr '''C:\Users\Admin\Windows Security\Update\winsvrupd.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Security\Update\winsvrupd.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachine' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachine" /t REG_SZ /f /d 'C:\Users\Admin\Windows Security\Update\winsvrupd.exe' }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachine /tr "'C:\Users\Admin\Windows Security\Update\winsvrupd.exe'"
3⤵
- Creates scheduled task(s)
PID:1300

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
2⤵
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe dxfechzzfypoyjbf 6E3sjfZq2rJQaxvLPmXgsEqPiBiBLmVqlQRiqAROwnovuL/XXMnmllvN0dE0MNZasUNTlydMwtsW2rj8icJseNEYIR9Mk2CrBAnQSkVd4ghuXK6zXctx/Rv1juQihv2xvWMCiOcCltF908O7Q2gnrwdkD5pEVAuSGMT8e5i6oyrq4eYUoHB2nuvdKC2X+JFQf7iSJSEOJr7GBp5A9pekMuLZ1K+sy4g4Epzwi6wbVxl8ZM8mn+7GccIbj+pVuNsDYY3GPzEsZqgcGX8v8f7JRHr2ZjrjHFfnkTA9y/qycxz5Gn7YfwXD9vtnqqY+8qFe
2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1288

C:\Windows\system32\taskeng.exe
taskeng.exe {EE713968-95F8-461E-ACE9-094056EFEBE3} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:520

C:\Users\Admin\Windows Security\Update\winsvrupd.exe
"C:\Users\Admin\Windows Security\Update\winsvrupd.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\146403918.exe
Filesize
6KB

MD5
03ee7b245daeebbf2ccaa1690a9fc8fc

SHA1
561710d7f8c05ff5c2a3a384be5de6e023e41ac4

SHA256
6bc23b9878978a2f3c507acfdad0b2244a8bda5143359613db039cb21d9c1228

SHA512
f64163899218b24ee1dd59748e024e0106d83dbea3e31c0f05b1efb8558a47c232dbbcd1463a121c63e2dff2743887925238d8bf6eab0b9ee0292386918e8e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\1732610702.exe
Filesize
2.0MB

MD5
7b0633ae007d5d202c33d505d580d4b7

SHA1
3fcc4bd2af14b385104c27d8a192c938295bba3e

SHA256
84984b4ae961524fa29008d142c78b6a859b451bdd21cedc04cc25caf4256116

SHA512
e1038eeaa16cc1a8c514870d2f3892c7a68f083fe7f9751906e75d93c079a51190f61e153c145302ec0c3c761de5b5e1803a7338041665d4584214a11048647f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1732610702.exe
Filesize
2.0MB

MD5
7b0633ae007d5d202c33d505d580d4b7

SHA1
3fcc4bd2af14b385104c27d8a192c938295bba3e

SHA256
84984b4ae961524fa29008d142c78b6a859b451bdd21cedc04cc25caf4256116

SHA512
e1038eeaa16cc1a8c514870d2f3892c7a68f083fe7f9751906e75d93c079a51190f61e153c145302ec0c3c761de5b5e1803a7338041665d4584214a11048647f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2696522296.exe
Filesize
75KB

MD5
17eb719f9e19aefae9114aa922681e7f

SHA1
a2165a6d3ff4dee62215bd489bbcc0aaa498e70a

SHA256
e0ac6b5de69220016ae30e12a499cd7e0002ab66942203376a0bb97b1790ad70

SHA512
77e7663c0b2cccf1f357c3f75cae22b0c8e207d482f8e5237f3d81844266d4f49d10574abbb6531ab20b417ed19a4d4991214933362a004413ccbe8a41f194de

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Libs\g.log
Filesize
198B

MD5
37dd19b2be4fa7635ad6a2f3238c4af1

SHA1
e5b2c034636b434faee84e82e3bce3a3d3561943

SHA256
8066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07

SHA512
86e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
17958e41eabb56175a61b6812e3f4e83

SHA1
91521587aec70630925be4bd1703b9f01a1d3f97

SHA256
586d52803234e1f2eb51f3a7f8c4bf9cea355f2d4ad889cbbad736defad0fa94

SHA512
67e823357945ffd27bf67c6fcb87b93f6a56dd81a3b3badd6788d14591b2b761307df3756a764ae7eb1120904c2a88b162ace0a8d18d07592195dacbf81ae1c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
17958e41eabb56175a61b6812e3f4e83

SHA1
91521587aec70630925be4bd1703b9f01a1d3f97

SHA256
586d52803234e1f2eb51f3a7f8c4bf9cea355f2d4ad889cbbad736defad0fa94

SHA512
67e823357945ffd27bf67c6fcb87b93f6a56dd81a3b3badd6788d14591b2b761307df3756a764ae7eb1120904c2a88b162ace0a8d18d07592195dacbf81ae1c2

Download Submit
C:\Users\Admin\Windows Security\Update\winsvrupd.exe
Filesize
2.0MB

MD5
7b0633ae007d5d202c33d505d580d4b7

SHA1
3fcc4bd2af14b385104c27d8a192c938295bba3e

SHA256
84984b4ae961524fa29008d142c78b6a859b451bdd21cedc04cc25caf4256116

SHA512
e1038eeaa16cc1a8c514870d2f3892c7a68f083fe7f9751906e75d93c079a51190f61e153c145302ec0c3c761de5b5e1803a7338041665d4584214a11048647f

Download Submit
C:\Windows\sysagrsv.exe
Filesize
75KB

MD5
17eb719f9e19aefae9114aa922681e7f

SHA1
a2165a6d3ff4dee62215bd489bbcc0aaa498e70a

SHA256
e0ac6b5de69220016ae30e12a499cd7e0002ab66942203376a0bb97b1790ad70

SHA512
77e7663c0b2cccf1f357c3f75cae22b0c8e207d482f8e5237f3d81844266d4f49d10574abbb6531ab20b417ed19a4d4991214933362a004413ccbe8a41f194de

Download Submit
C:\Windows\sysagrsv.exe
Filesize
75KB

MD5
17eb719f9e19aefae9114aa922681e7f

SHA1
a2165a6d3ff4dee62215bd489bbcc0aaa498e70a

SHA256
e0ac6b5de69220016ae30e12a499cd7e0002ab66942203376a0bb97b1790ad70

SHA512
77e7663c0b2cccf1f357c3f75cae22b0c8e207d482f8e5237f3d81844266d4f49d10574abbb6531ab20b417ed19a4d4991214933362a004413ccbe8a41f194de

Download Submit
\Users\Admin\AppData\Local\Temp\146403918.exe
Filesize
6KB

MD5
03ee7b245daeebbf2ccaa1690a9fc8fc

SHA1
561710d7f8c05ff5c2a3a384be5de6e023e41ac4

SHA256
6bc23b9878978a2f3c507acfdad0b2244a8bda5143359613db039cb21d9c1228

SHA512
f64163899218b24ee1dd59748e024e0106d83dbea3e31c0f05b1efb8558a47c232dbbcd1463a121c63e2dff2743887925238d8bf6eab0b9ee0292386918e8e55

Download Submit
\Users\Admin\AppData\Local\Temp\1732610702.exe
Filesize
2.0MB

MD5
7b0633ae007d5d202c33d505d580d4b7

SHA1
3fcc4bd2af14b385104c27d8a192c938295bba3e

SHA256
84984b4ae961524fa29008d142c78b6a859b451bdd21cedc04cc25caf4256116

SHA512
e1038eeaa16cc1a8c514870d2f3892c7a68f083fe7f9751906e75d93c079a51190f61e153c145302ec0c3c761de5b5e1803a7338041665d4584214a11048647f

Download Submit
\Users\Admin\AppData\Local\Temp\2696522296.exe
Filesize
75KB

MD5
17eb719f9e19aefae9114aa922681e7f

SHA1
a2165a6d3ff4dee62215bd489bbcc0aaa498e70a

SHA256
e0ac6b5de69220016ae30e12a499cd7e0002ab66942203376a0bb97b1790ad70

SHA512
77e7663c0b2cccf1f357c3f75cae22b0c8e207d482f8e5237f3d81844266d4f49d10574abbb6531ab20b417ed19a4d4991214933362a004413ccbe8a41f194de

Download Submit
\Users\Admin\AppData\Local\Temp\2696522296.exe
Filesize
75KB

MD5
17eb719f9e19aefae9114aa922681e7f

SHA1
a2165a6d3ff4dee62215bd489bbcc0aaa498e70a

SHA256
e0ac6b5de69220016ae30e12a499cd7e0002ab66942203376a0bb97b1790ad70

SHA512
77e7663c0b2cccf1f357c3f75cae22b0c8e207d482f8e5237f3d81844266d4f49d10574abbb6531ab20b417ed19a4d4991214933362a004413ccbe8a41f194de

Download Submit
\Users\Admin\Windows Security\Update\winsvrupd.exe
Filesize
2.0MB

MD5
7b0633ae007d5d202c33d505d580d4b7

SHA1
3fcc4bd2af14b385104c27d8a192c938295bba3e

SHA256
84984b4ae961524fa29008d142c78b6a859b451bdd21cedc04cc25caf4256116

SHA512
e1038eeaa16cc1a8c514870d2f3892c7a68f083fe7f9751906e75d93c079a51190f61e153c145302ec0c3c761de5b5e1803a7338041665d4584214a11048647f

Download Submit
memory/560-65-0x0000000000000000-mapping.dmp

Download
memory/780-95-0x000000000258B000-0x00000000025AA000-memory.dmp

Filesize
124KB

Download
memory/780-94-0x0000000002584000-0x0000000002587000-memory.dmp

Filesize
12KB

Download
memory/780-92-0x0000000002584000-0x0000000002587000-memory.dmp

Filesize
12KB

Download
memory/780-91-0x000007FEF3C60000-0x000007FEF47BD000-memory.dmp

Filesize
11.4MB

Download
memory/968-60-0x0000000000000000-mapping.dmp

Download
memory/1128-76-0x00000000023EB000-0x000000000240A000-memory.dmp

Filesize
124KB

Download
memory/1128-75-0x00000000023E4000-0x00000000023E7000-memory.dmp

Filesize
12KB

Download
memory/1128-73-0x000007FEF3C60000-0x000007FEF47BD000-memory.dmp

Filesize
11.4MB

Download
memory/1128-71-0x000007FEFB881000-0x000007FEFB883000-memory.dmp

Filesize
8KB

Download
memory/1128-101-0x00000000023EB000-0x000000000240A000-memory.dmp

Filesize
124KB

Download
memory/1144-82-0x0000000000000000-mapping.dmp

Download
memory/1284-55-0x0000000000000000-mapping.dmp

Download
memory/1288-100-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1288-103-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1288-102-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/1288-98-0x00000001407F2720-mapping.dmp

Download
memory/1288-99-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/1300-93-0x0000000000000000-mapping.dmp

Download
memory/1324-54-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/1368-96-0x0000000000000000-mapping.dmp

Download
memory/1500-86-0x0000000000000000-mapping.dmp

Download
memory/1540-69-0x0000000000000000-mapping.dmp

Download
memory/1712-84-0x00000000025AB000-0x00000000025CA000-memory.dmp

Filesize
124KB

Download
memory/1712-81-0x000007FEF2D80000-0x000007FEF38DD000-memory.dmp

Filesize
11.4MB

Download
memory/1712-83-0x00000000025A4000-0x00000000025A7000-memory.dmp

Filesize
12KB

Download
memory/1964-74-0x0000000000000000-mapping.dmp

Download