phemedrone | 3581ec8316ebca52d075c8c97f22857f4eaa9e5c9ba3c4c08ec0ef57f8c610b2

Resubmissions

04/02/2024, 09:11

240204-k5n22agcdl 10

04/02/2024, 09:07

240204-k3s8zagcaq 10

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20231222-en
resource tags

arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system
submitted
04/02/2024, 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FunPev.exe
Size

2.8MB
MD5

f8b3253892fbd1e56f2fc46b9b79166d
SHA1

4834ed4980148055733af52834958d2884d27b2f
SHA256

3581ec8316ebca52d075c8c97f22857f4eaa9e5c9ba3c4c08ec0ef57f8c610b2
SHA512

6bdbbe764ebb264f052cfd43633f81dc02e22c4b14f0eec78450d56217475f983b5202ab79dbe5c9f1bc453626cfd06e4fcaa13662f99b7072338e20ddafbe35
SSDEEP

49152:LekGSFyxsRbm58Dkwu2WDIxwZsjm8uV88i/O2g7QIIvw7QQZq4PXO:SkGSFsWbF1u9kxwuj+pi/c7nIA

Score

10^/10

phemedrone xmrig evasion miner persistence spyware stealer upx

Malware Config

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/2016-199-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2016-202-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2016-204-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2016-205-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2016-203-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2016-206-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2016-200-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2016-208-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2016-209-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	Pev.exe
File created	C:\Windows\system32\drivers\etc\hosts	ggljrwvvwhni.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 3 IoCs

pid	Process
2880	Fun.exe
1396	Pev.exe
1904	ggljrwvvwhni.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2016-194-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2016-196-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2016-198-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2016-199-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2016-202-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2016-204-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2016-205-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2016-203-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2016-206-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2016-200-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2016-195-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2016-193-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2016-208-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2016-209-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	ggljrwvvwhni.exe
File opened for modification	C:\Windows\system32\MRT.exe	Pev.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1904 set thread context of 764	1904	ggljrwvvwhni.exe	124
PID 1904 set thread context of 2016	1904	ggljrwvvwhni.exe	120

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1008	sc.exe
3600	sc.exe
3264	sc.exe
2844	sc.exe
3896	sc.exe
944	sc.exe
4388	sc.exe
4644	sc.exe
1244	sc.exe
3700	sc.exe
4344	sc.exe
2044	sc.exe
2972	sc.exe
3892	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	FunPev.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2880	Fun.exe
2880	Fun.exe
2880	Fun.exe
2880	Fun.exe
2880	Fun.exe
2880	Fun.exe
2880	Fun.exe
2880	Fun.exe
2880	Fun.exe
2880	Fun.exe
2880	Fun.exe
2880	Fun.exe
2880	Fun.exe
2880	Fun.exe
2880	Fun.exe
2880	Fun.exe
2880	Fun.exe
2880	Fun.exe
2880	Fun.exe
2880	Fun.exe
2880	Fun.exe
2880	Fun.exe
2880	Fun.exe
2880	Fun.exe
1396	Pev.exe
1628	powershell.exe
1628	powershell.exe
1396	Pev.exe
1396	Pev.exe
1396	Pev.exe
1396	Pev.exe
1396	Pev.exe
1396	Pev.exe
1396	Pev.exe
1396	Pev.exe
1396	Pev.exe
1396	Pev.exe
1396	Pev.exe
1396	Pev.exe
1396	Pev.exe
1396	Pev.exe
1396	Pev.exe
1904	ggljrwvvwhni.exe
2324	powershell.exe
2324	powershell.exe
1904	ggljrwvvwhni.exe
1904	ggljrwvvwhni.exe
1904	ggljrwvvwhni.exe
1904	ggljrwvvwhni.exe
1904	ggljrwvvwhni.exe
1904	ggljrwvvwhni.exe
1904	ggljrwvvwhni.exe
1904	ggljrwvvwhni.exe
1904	ggljrwvvwhni.exe
1904	ggljrwvvwhni.exe
1904	ggljrwvvwhni.exe
1904	ggljrwvvwhni.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe
2016	svchost.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	Fun.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	1396	Pev.exe
Token: SeShutdownPrivilege	4568	powercfg.exe
Token: SeCreatePagefilePrivilege	4568	powercfg.exe
Token: SeShutdownPrivilege	4132	powercfg.exe
Token: SeCreatePagefilePrivilege	4132	powercfg.exe
Token: SeShutdownPrivilege	3272	powercfg.exe
Token: SeCreatePagefilePrivilege	3272	powercfg.exe
Token: SeShutdownPrivilege	3652	powercfg.exe
Token: SeCreatePagefilePrivilege	3652	powercfg.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	1904	ggljrwvvwhni.exe
Token: SeShutdownPrivilege	2804	powercfg.exe
Token: SeCreatePagefilePrivilege	2804	powercfg.exe
Token: SeShutdownPrivilege	72	powercfg.exe
Token: SeCreatePagefilePrivilege	72	powercfg.exe
Token: SeShutdownPrivilege	280	powercfg.exe
Token: SeCreatePagefilePrivilege	280	powercfg.exe
Token: SeShutdownPrivilege	1204	powercfg.exe
Token: SeCreatePagefilePrivilege	1204	powercfg.exe
Token: SeLockMemoryPrivilege	2016	svchost.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 2880	1252	FunPev.exe	79
PID 1252 wrote to memory of 2880	1252	FunPev.exe	79
PID 1252 wrote to memory of 1396	1252	FunPev.exe	81
PID 1252 wrote to memory of 1396	1252	FunPev.exe	81
PID 4600 wrote to memory of 4420	4600	cmd.exe	144
PID 4600 wrote to memory of 4420	4600	cmd.exe	144
PID 4412 wrote to memory of 4556	4412	cmd.exe	98
PID 4412 wrote to memory of 4556	4412	cmd.exe	98
PID 2268 wrote to memory of 3704	2268	cmd.exe	137
PID 2268 wrote to memory of 3704	2268	cmd.exe	137
PID 1904 wrote to memory of 764	1904	ggljrwvvwhni.exe	124
PID 1904 wrote to memory of 764	1904	ggljrwvvwhni.exe	124
PID 1904 wrote to memory of 764	1904	ggljrwvvwhni.exe	124
PID 1904 wrote to memory of 764	1904	ggljrwvvwhni.exe	124
PID 1904 wrote to memory of 764	1904	ggljrwvvwhni.exe	124
PID 1904 wrote to memory of 764	1904	ggljrwvvwhni.exe	124
PID 1904 wrote to memory of 764	1904	ggljrwvvwhni.exe	124
PID 1904 wrote to memory of 764	1904	ggljrwvvwhni.exe	124
PID 1904 wrote to memory of 764	1904	ggljrwvvwhni.exe	124
PID 1904 wrote to memory of 2016	1904	ggljrwvvwhni.exe	120
PID 1904 wrote to memory of 2016	1904	ggljrwvvwhni.exe	120
PID 1904 wrote to memory of 2016	1904	ggljrwvvwhni.exe	120
PID 1904 wrote to memory of 2016	1904	ggljrwvvwhni.exe	120
PID 1904 wrote to memory of 2016	1904	ggljrwvvwhni.exe	120

C:\Users\Admin\AppData\Local\Temp\FunPev.exe
"C:\Users\Admin\AppData\Local\Temp\FunPev.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Users\Admin\AppData\Local\Temp\Fun.exe
  "C:\Users\Admin\AppData\Local\Temp\Fun.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2880
- C:\Users\Admin\AppData\Local\Temp\Pev.exe
  "C:\Users\Admin\AppData\Local\Temp\Pev.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1396
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1628
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4600
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4420
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:1008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Pev.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4412
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "DRIRIEJS"
    3⤵
    - Launches sc.exe
    PID:3600
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:4644
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "DRIRIEJS" binpath= "C:\ProgramData\fizpxdtvfdpb\ggljrwvvwhni.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:1244
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "DRIRIEJS"
    3⤵
    - Launches sc.exe
    PID:944
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4132
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3652
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4568
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3272
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:2044
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4388
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3892

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4040

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
1⤵
PID:4556

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\ProgramData\fizpxdtvfdpb\ggljrwvvwhni.exe
C:\ProgramData\fizpxdtvfdpb\ggljrwvvwhni.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:764
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:280
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1204
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:72
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:3264
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2844
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:3700
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2972
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:3896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2268

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
1⤵
PID:3704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\fizpxdtvfdpb\ggljrwvvwhni.exe

Filesize
999KB

MD5
b4dc330c6bdfaf191b824813906698ba

SHA1
4d233ff2d7fd8ad078d440645ba6ab93bd9f5431

SHA256
fa8b36596f87307cdbb5b69f33b4a6dbff4d9ed22c39a7c966eed27fd1a72b5d

SHA512
f6986014c99d8a2d30d96b7cdb8e7a9e38c69be8128ac2e2e84ce291cc12d9d35e64e9fc64bcd88bdab2e03e09384113f06f495eabcb2ed2ddd0152bf5509a79

Download Submit
C:\ProgramData\fizpxdtvfdpb\ggljrwvvwhni.exe

Filesize
148KB

MD5
d0d569406e6f31ff81391f4a1fdd1c1d

SHA1
d97d141760cbd5ec6d4b8d67759a9222f1d7d295

SHA256
cbde03e8f9e0187bc3eebea63bdbaf42885936a8ffb291741d7230ff68d3f05e

SHA512
a70cc992e6ff214987655e9784b5674787043a2974b7bfa8fc652fb0013bfe7c9708b0348a37bf5455e74ac842e6219b953f94b6ac919814bad2ee2153553d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fun.exe

Filesize
84KB

MD5
d4a83b7524f738c124b66e750005a370

SHA1
f0c823bfeee6d11b8388a6aa309dd26f99ffbd9f

SHA256
f2db703542baaaba867eb97e29d28afef5f19da2759831e7d03a0aa01e76585b

SHA512
0049de80fa35cff2760a68b8462578e9e0d9e6cd5b118572e646d476d237505ec5b3f07822fab70e45cf5297bb9cb8b4df6be4d63f6a6751daccd2056c71bc9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pev.exe

Filesize
1.1MB

MD5
d4aa223e7151b7e19389cf63486042ec

SHA1
88f89708d34e36c0c5d9c4264f573518a57d5ee8

SHA256
ad1e777c38eb4e5dd76e0cf0d34889b037c6e7d4bb64df5f66a2ae6bc3885d0c

SHA512
56b29de922a62a22555f0b9528690f55a2dca122a44225d39fc8033a093415e4fa7c5c92b126cde802b75c803dd42b5f93a6f0ea8823eecaab2366e63723cf2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pev.exe

Filesize
1.2MB

MD5
ad0a5372567ddd93e7952beb6b2f1a3d

SHA1
903e78dd75241720ff39cfef5b88051239a4fc16

SHA256
a1ba19e454c04aab4a6b97b465de4c457e7adad367619b56313e73c96d42734d

SHA512
69d1ca44d6e6dbeb4c82b3afdae8c42f7db665a7a75ceddae7bf51ffba5b7abc870c7445906b9ae40757fb2b619809e4a7f732cbaaec4316413e5f6d1b9cb256

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pev.exe

Filesize
926KB

MD5
a10afd4f62080d46855f1a97884962a2

SHA1
737f71ab27fbdbe4035085b418db002cdab92138

SHA256
36c2d68bb046750daf37f6b25d4e83c86de5cd85be5eb25b92b37d5ca635945b

SHA512
7cb0abbb4a15fbab323f69a979b297721fa0c9d5e3679c60fb82ad8372fb06b466365882873e6cf76bc76ae4acecbb6b02bfd3a98bee5768049c903b54b1d1d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_banpavxs.swv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
2d29fd3ae57f422e2b2121141dc82253

SHA1
c2464c857779c0ab4f5e766f5028fcc651a6c6b7

SHA256
80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4

SHA512
077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

Download Submit
memory/764-185-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/764-187-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/764-186-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/764-191-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/764-189-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/764-188-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1252-2-0x000000001C900000-0x000000001CBB6000-memory.dmp

Filesize
2.7MB

Download
memory/1252-126-0x00007FFA59F80000-0x00007FFA5AA42000-memory.dmp

Filesize
10.8MB

Download
memory/1252-0-0x00000000005C0000-0x000000000088E000-memory.dmp

Filesize
2.8MB

Download
memory/1252-1-0x00007FFA59F80000-0x00007FFA5AA42000-memory.dmp

Filesize
10.8MB

Download
memory/1628-135-0x00000286DAC90000-0x00000286DACB2000-memory.dmp

Filesize
136KB

Download
memory/1628-142-0x00000286F31C0000-0x00000286F31D0000-memory.dmp

Filesize
64KB

Download
memory/1628-139-0x00007FFA5A0D0000-0x00007FFA5AB92000-memory.dmp

Filesize
10.8MB

Download
memory/1628-140-0x00000286F31C0000-0x00000286F31D0000-memory.dmp

Filesize
64KB

Download
memory/1628-141-0x00000286F31C0000-0x00000286F31D0000-memory.dmp

Filesize
64KB

Download
memory/1628-145-0x00007FFA5A0D0000-0x00007FFA5AB92000-memory.dmp

Filesize
10.8MB

Download
memory/2016-201-0x0000019A8D760000-0x0000019A8D780000-memory.dmp

Filesize
128KB

Download
memory/2016-203-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2016-211-0x0000019A8DE60000-0x0000019A8DE80000-memory.dmp

Filesize
128KB

Download
memory/2016-210-0x0000019A8DE60000-0x0000019A8DE80000-memory.dmp

Filesize
128KB

Download
memory/2016-209-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2016-208-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2016-207-0x0000019A8D7D0000-0x0000019A8D7F0000-memory.dmp

Filesize
128KB

Download
memory/2016-193-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2016-195-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2016-200-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2016-206-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2016-194-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2016-196-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2016-197-0x00007FFA780DB000-0x00007FFA780DC000-memory.dmp

Filesize
4KB

Download
memory/2016-198-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2016-199-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2016-202-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2016-204-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2016-205-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2324-170-0x0000024973B60000-0x0000024973B7C000-memory.dmp

Filesize
112KB

Download
memory/2324-182-0x00007FFA5A270000-0x00007FFA5AD32000-memory.dmp

Filesize
10.8MB

Download
memory/2324-158-0x00007FFA5A270000-0x00007FFA5AD32000-memory.dmp

Filesize
10.8MB

Download
memory/2324-176-0x0000024973C50000-0x0000024973C58000-memory.dmp

Filesize
32KB

Download
memory/2324-179-0x0000024973740000-0x0000024973750000-memory.dmp

Filesize
64KB

Download
memory/2324-178-0x0000024973D90000-0x0000024973D9A000-memory.dmp

Filesize
40KB

Download
memory/2324-159-0x0000024973740000-0x0000024973750000-memory.dmp

Filesize
64KB

Download
memory/2324-160-0x0000024973740000-0x0000024973750000-memory.dmp

Filesize
64KB

Download
memory/2324-161-0x0000024973740000-0x0000024973750000-memory.dmp

Filesize
64KB

Download
memory/2324-172-0x0000024973950000-0x000002497395A000-memory.dmp

Filesize
40KB

Download
memory/2324-173-0x0000024973C60000-0x0000024973C7C000-memory.dmp

Filesize
112KB

Download
memory/2324-174-0x0000024973C40000-0x0000024973C4A000-memory.dmp

Filesize
40KB

Download
memory/2324-177-0x0000024973D80000-0x0000024973D86000-memory.dmp

Filesize
24KB

Download
memory/2324-171-0x0000024973B80000-0x0000024973C33000-memory.dmp

Filesize
716KB

Download
memory/2324-175-0x0000024973DA0000-0x0000024973DBA000-memory.dmp

Filesize
104KB

Download
memory/2880-79-0x0000000000D20000-0x0000000000D3C000-memory.dmp

Filesize
112KB

Download
memory/2880-121-0x00007FFA59F80000-0x00007FFA5AA42000-memory.dmp

Filesize
10.8MB

Download
memory/2880-127-0x000000001C0C0000-0x000000001C0D0000-memory.dmp

Filesize
64KB

Download
memory/2880-129-0x00007FFA59F80000-0x00007FFA5AA42000-memory.dmp

Filesize
10.8MB

Download