phemedrone | e9279e7e028a9f198f01201bbdbfa6a8a2d1a7ee53bdd340f2f5a29644549236

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2024 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Project 1.exe
Size

2.7MB
MD5

24e31bac47b8dd1d4188a4d0b1830cda
SHA1

04279866cb2234f779bd88d3cb2ca7ea7335c4ce
SHA256

e9279e7e028a9f198f01201bbdbfa6a8a2d1a7ee53bdd340f2f5a29644549236
SHA512

48bbce3da371fd0a8783c7fd9cea5e21432c6acc0ab80c3b36e26f796363f503173ef18cfe2cf64f19045a795e6431231a2e54ee8fff15a1b4e480b5a0277bd1
SSDEEP

49152:aHGqqtgcRICmk0M9VYfRNU6bupj/KRrpdq8guHcgqQnI0Z:YGqCRGWQRNU6b+/KLQ8rcghn

Score

10^/10

phemedrone xmrig evasion miner persistence spyware stealer upx

Malware Config

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral2/memory/4364-199-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4364-200-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4364-202-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4364-203-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4364-204-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4364-205-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4364-206-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4364-208-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4364-209-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	News.exe
File created	C:\Windows\system32\drivers\etc\hosts	ggljrwvvwhni.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	New Project 1.exe

Executes dropped EXE 3 IoCs

pid	Process
380	News.exe
448	vegas.exe
3524	ggljrwvvwhni.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4364-194-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4364-195-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4364-197-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4364-198-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4364-196-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4364-199-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4364-200-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4364-202-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4364-203-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4364-204-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4364-205-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4364-206-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4364-208-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4364-209-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	News.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	ggljrwvvwhni.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3524 set thread context of 3508	3524	ggljrwvvwhni.exe	148
PID 3524 set thread context of 4364	3524	ggljrwvvwhni.exe	147

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3972	sc.exe
4436	sc.exe
1496	sc.exe
2296	sc.exe
4348	sc.exe
1756	sc.exe
4840	sc.exe
1228	sc.exe
4536	sc.exe
4896	sc.exe
4920	sc.exe
2800	sc.exe
904	sc.exe
4384	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	New Project 1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
448	vegas.exe
448	vegas.exe
448	vegas.exe
448	vegas.exe
448	vegas.exe
448	vegas.exe
448	vegas.exe
380	News.exe
448	vegas.exe
448	vegas.exe
4684	powershell.exe
4684	powershell.exe
448	vegas.exe
448	vegas.exe
380	News.exe
380	News.exe
380	News.exe
380	News.exe
380	News.exe
380	News.exe
380	News.exe
380	News.exe
380	News.exe
380	News.exe
380	News.exe
380	News.exe
380	News.exe
380	News.exe
380	News.exe
3524	ggljrwvvwhni.exe
448	vegas.exe
448	vegas.exe
1008	powershell.exe
1008	powershell.exe
448	vegas.exe
448	vegas.exe
3524	ggljrwvvwhni.exe
3524	ggljrwvvwhni.exe
3524	ggljrwvvwhni.exe
3524	ggljrwvvwhni.exe
3524	ggljrwvvwhni.exe
3524	ggljrwvvwhni.exe
3524	ggljrwvvwhni.exe
3524	ggljrwvvwhni.exe
3524	ggljrwvvwhni.exe
3524	ggljrwvvwhni.exe
3524	ggljrwvvwhni.exe
3524	ggljrwvvwhni.exe
4364	svchost.exe
4364	svchost.exe
4364	svchost.exe
4364	svchost.exe
4364	svchost.exe
4364	svchost.exe
4364	svchost.exe
4364	svchost.exe
4364	svchost.exe
4364	svchost.exe
4364	svchost.exe
4364	svchost.exe
4364	svchost.exe
4364	svchost.exe
4364	svchost.exe
4364	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
684	Process not Found

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	448	vegas.exe
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeDebugPrivilege	380	News.exe
Token: SeShutdownPrivilege	2276	powercfg.exe
Token: SeCreatePagefilePrivilege	2276	powercfg.exe
Token: SeShutdownPrivilege	2604	powercfg.exe
Token: SeCreatePagefilePrivilege	2604	powercfg.exe
Token: SeShutdownPrivilege	4916	powercfg.exe
Token: SeCreatePagefilePrivilege	4916	powercfg.exe
Token: SeShutdownPrivilege	3404	powercfg.exe
Token: SeCreatePagefilePrivilege	3404	powercfg.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	3524	ggljrwvvwhni.exe
Token: SeShutdownPrivilege	4448	powercfg.exe
Token: SeCreatePagefilePrivilege	4448	powercfg.exe
Token: SeShutdownPrivilege	2012	powercfg.exe
Token: SeCreatePagefilePrivilege	2012	powercfg.exe
Token: SeShutdownPrivilege	876	powercfg.exe
Token: SeCreatePagefilePrivilege	876	powercfg.exe
Token: SeShutdownPrivilege	4300	powercfg.exe
Token: SeCreatePagefilePrivilege	4300	powercfg.exe
Token: SeLockMemoryPrivilege	4364	svchost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 380	1508	New Project 1.exe	90
PID 1508 wrote to memory of 380	1508	New Project 1.exe	90
PID 1508 wrote to memory of 448	1508	New Project 1.exe	91
PID 1508 wrote to memory of 448	1508	New Project 1.exe	91
PID 3180 wrote to memory of 4080	3180	cmd.exe	107
PID 3180 wrote to memory of 4080	3180	cmd.exe	107
PID 868 wrote to memory of 4952	868	cmd.exe	133
PID 868 wrote to memory of 4952	868	cmd.exe	133
PID 3672 wrote to memory of 2756	3672	cmd.exe	139
PID 3672 wrote to memory of 2756	3672	cmd.exe	139
PID 3524 wrote to memory of 3508	3524	ggljrwvvwhni.exe	148
PID 3524 wrote to memory of 3508	3524	ggljrwvvwhni.exe	148
PID 3524 wrote to memory of 3508	3524	ggljrwvvwhni.exe	148
PID 3524 wrote to memory of 3508	3524	ggljrwvvwhni.exe	148
PID 3524 wrote to memory of 3508	3524	ggljrwvvwhni.exe	148
PID 3524 wrote to memory of 3508	3524	ggljrwvvwhni.exe	148
PID 3524 wrote to memory of 3508	3524	ggljrwvvwhni.exe	148
PID 3524 wrote to memory of 3508	3524	ggljrwvvwhni.exe	148
PID 3524 wrote to memory of 3508	3524	ggljrwvvwhni.exe	148
PID 3524 wrote to memory of 4364	3524	ggljrwvvwhni.exe	147
PID 3524 wrote to memory of 4364	3524	ggljrwvvwhni.exe	147
PID 3524 wrote to memory of 4364	3524	ggljrwvvwhni.exe	147
PID 3524 wrote to memory of 4364	3524	ggljrwvvwhni.exe	147
PID 3524 wrote to memory of 4364	3524	ggljrwvvwhni.exe	147

C:\Users\Admin\AppData\Local\Temp\New Project 1.exe
"C:\Users\Admin\AppData\Local\Temp\New Project 1.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Users\Admin\AppData\Local\Temp\News.exe
  "C:\Users\Admin\AppData\Local\Temp\News.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:380
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4684
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3180
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4080
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4896
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4920
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:3972
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:4840
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3404
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "DRIRIEJS"
    3⤵
    - Launches sc.exe
    PID:1228
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4916
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2604
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2276
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "DRIRIEJS" binpath= "C:\ProgramData\fizpxdtvfdpb\ggljrwvvwhni.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:4436
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:2800
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "DRIRIEJS"
    3⤵
    - Launches sc.exe
    PID:904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\News.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:868
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:4952
- C:\Users\Admin\AppData\Local\Temp\vegas.exe
  "C:\Users\Admin\AppData\Local\Temp\vegas.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:448

C:\ProgramData\fizpxdtvfdpb\ggljrwvvwhni.exe
C:\ProgramData\fizpxdtvfdpb\ggljrwvvwhni.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1008
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1496
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3672
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1756
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4364
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:3508
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4300
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:876
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4448
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2012
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:4348
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:4384

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
1⤵
PID:2756

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\fizpxdtvfdpb\ggljrwvvwhni.exe

Filesize
273KB

MD5
ba2e3cc6e07078ff199c10e15c482422

SHA1
3ddbd55dbc5b24302b65afb96036c205563af2b7

SHA256
b6d11636d7b585749338d6fc79a4b40a11b4c63181fe7c96f53358c5fde8cf01

SHA512
e5fedc56df57f0af5c4ce68c019c8c67c9969867ae99d406eb7dba3171128f39740293a4cfc2e11befc67d3961cf3bffc80f03183acf0d2fb4e8fe9da3ee5563

Download Submit
C:\ProgramData\fizpxdtvfdpb\ggljrwvvwhni.exe

Filesize
648KB

MD5
e5c9432daf6d370ad3a784f9505dac0a

SHA1
34b2d80aaa84fb496882327e03a7b424e8363afe

SHA256
794112b4087fa18914da350c51f7bfa98c8377ab5b7217775213605d391cf0cf

SHA512
bcf7e41291c23366c1c4904249aee37e63a941c52b3f4d28ec282a53c0dc3e4b1fa27fe268521b0f05b2afec96b88d4b5b17cd28f6083e07cb9e6f9388f79d9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\News.exe

Filesize
2.0MB

MD5
fa659be831a89599dc7553869474cf36

SHA1
2370d611f76e78d2fd20c6f6f229e95ad00cb25d

SHA256
278792e785e79d2b5ae0b802dd7a11ebbceca3a037ad257f1716a4f03868e9bb

SHA512
217e3db42c2527f0cd04ef3c9c31c49a64e47e60dbd9546cb372c59c67066728c5a7ae0e5ea37c3ab7fe5c2ad317d947ea27f0a6253fc07414a297861da38141

Download Submit
C:\Users\Admin\AppData\Local\Temp\News.exe

Filesize
2.6MB

MD5
5360523978557d28180f0aa67fc0216b

SHA1
bad046fd59f80c9b3908a3033851cd04a2055a71

SHA256
6d86fa05b2790cb6f0165e303b48a1ddc7e36c488225b797fa64cce15d4de3d3

SHA512
c33e349fdc65efa1055ae0d6d59f1d2bbaf7c32f966969e041deffca5903a4b96b59d0cea6635bf14c2cc8f7980d845a28f62a1a5d08b3283c5bf9c7758f778f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2kr11kfb.zdr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\vegas.exe

Filesize
84KB

MD5
2674b0191c4e64e09d4c811481823dd3

SHA1
9cdc87caa4393f769029ac10ef6f2ee4fe9128c6

SHA256
d1933d7741d2c5ff810f37ecc0fc2b04d4d6d7daf05450a9ffd29c35d2cb2c05

SHA512
c719b1235ea4cf029f24140db52d7fc6c695af56cad58b82293aaee64e906fdc71c5441625caa93e5f8c28d5197c40fe2a087e2b8d6d7ba96f8d25fc4480861a

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
2d29fd3ae57f422e2b2121141dc82253

SHA1
c2464c857779c0ab4f5e766f5028fcc651a6c6b7

SHA256
80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4

SHA512
077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

Download Submit
memory/448-124-0x0000000000ED0000-0x0000000000EEC000-memory.dmp

Filesize
112KB

Download
memory/448-125-0x00007FFBE9770000-0x00007FFBEA231000-memory.dmp

Filesize
10.8MB

Download
memory/448-127-0x0000000001760000-0x0000000001770000-memory.dmp

Filesize
64KB

Download
memory/448-213-0x00007FFBE9770000-0x00007FFBEA231000-memory.dmp

Filesize
10.8MB

Download
memory/448-161-0x00007FFBE9770000-0x00007FFBEA231000-memory.dmp

Filesize
10.8MB

Download
memory/448-180-0x0000000001760000-0x0000000001770000-memory.dmp

Filesize
64KB

Download
memory/1008-157-0x00007FFBE9770000-0x00007FFBEA231000-memory.dmp

Filesize
10.8MB

Download
memory/1008-172-0x0000027635C90000-0x0000027635D45000-memory.dmp

Filesize
724KB

Download
memory/1008-183-0x00007FFBE9770000-0x00007FFBEA231000-memory.dmp

Filesize
10.8MB

Download
memory/1008-179-0x0000027636130000-0x000002763613A000-memory.dmp

Filesize
40KB

Download
memory/1008-178-0x0000027636120000-0x0000027636126000-memory.dmp

Filesize
24KB

Download
memory/1008-176-0x0000027636140000-0x000002763615A000-memory.dmp

Filesize
104KB

Download
memory/1008-158-0x000002761D300000-0x000002761D310000-memory.dmp

Filesize
64KB

Download
memory/1008-159-0x000002761D300000-0x000002761D310000-memory.dmp

Filesize
64KB

Download
memory/1008-160-0x000002761D300000-0x000002761D310000-memory.dmp

Filesize
64KB

Download
memory/1008-177-0x00000276360F0000-0x00000276360F8000-memory.dmp

Filesize
32KB

Download
memory/1008-171-0x0000027635C70000-0x0000027635C8C000-memory.dmp

Filesize
112KB

Download
memory/1008-175-0x00000276360E0000-0x00000276360EA000-memory.dmp

Filesize
40KB

Download
memory/1008-173-0x0000027635D50000-0x0000027635D5A000-memory.dmp

Filesize
40KB

Download
memory/1008-174-0x0000027636100000-0x000002763611C000-memory.dmp

Filesize
112KB

Download
memory/1508-2-0x000000001D190000-0x000000001D446000-memory.dmp

Filesize
2.7MB

Download
memory/1508-126-0x00007FFBE9770000-0x00007FFBEA231000-memory.dmp

Filesize
10.8MB

Download
memory/1508-1-0x00007FFBE9770000-0x00007FFBEA231000-memory.dmp

Filesize
10.8MB

Download
memory/1508-0-0x0000000000E30000-0x00000000010E8000-memory.dmp

Filesize
2.7MB

Download
memory/3508-186-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3508-188-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3508-189-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3508-187-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3508-190-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3508-193-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4364-196-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4364-201-0x0000020AB6190000-0x0000020AB61B0000-memory.dmp

Filesize
128KB

Download
memory/4364-211-0x0000020AB68A0000-0x0000020AB68C0000-memory.dmp

Filesize
128KB

Download
memory/4364-210-0x0000020AB68A0000-0x0000020AB68C0000-memory.dmp

Filesize
128KB

Download
memory/4364-209-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4364-195-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4364-197-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4364-198-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4364-208-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4364-199-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4364-200-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4364-194-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4364-202-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4364-203-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4364-204-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4364-205-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4364-206-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4364-207-0x0000020AB6860000-0x0000020AB68A0000-memory.dmp

Filesize
256KB

Download
memory/4684-138-0x00007FFBE9770000-0x00007FFBEA231000-memory.dmp

Filesize
10.8MB

Download
memory/4684-139-0x0000016CB0770000-0x0000016CB0780000-memory.dmp

Filesize
64KB

Download
memory/4684-140-0x0000016CB0770000-0x0000016CB0780000-memory.dmp

Filesize
64KB

Download
memory/4684-143-0x00007FFBE9770000-0x00007FFBEA231000-memory.dmp

Filesize
10.8MB

Download
memory/4684-137-0x0000016CB08D0000-0x0000016CB08F2000-memory.dmp

Filesize
136KB

Download