xmrig | c7d57685be2f2275c7e77ea9f3dee605f580391f2ab221de836d5b6956fb0fcd

Analysis

max time kernel
159s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-03-2024 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

viaversion.exe
Size

2.1MB
MD5

20bee5b90d788cc5780b0ccbeb25a817
SHA1

3ae1c0684105f2c8c0d5e12c29e982dc6c0d0560
SHA256

83be40cbcf7e33332f513a7e46895cb844c94f1d53e519e4fc8846752ba8e330
SHA512

5dfb425babafa5c851895dc918dca45c762205fcfd629ce113c29024ffe4401da2f69427f4a190cecf9707a365b54f382c7dcdd4777eaff9a991281e73a1f756
SSDEEP

49152:lAhQlVmgOoTPjsjaMvFF4MrCVkCr7f2RHhMLoYEJRxC:+cV/Oi42MdFyzrb4BMcYEZC

Score

10^/10

xmrig evasion miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral4/memory/4444-153-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral4/memory/4444-154-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral4/memory/4444-156-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral4/memory/4444-157-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral4/memory/4444-158-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral4/memory/4444-159-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral4/memory/4444-160-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral4/memory/4444-162-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral4/memory/4444-163-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow pid process

51 4444 cmd.exe
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Drops file in Drivers directory 2 IoCs

Processes:

exp.exeiexplore.exe

description ioc process

File created C:\Windows\system32\drivers\etc\hosts exp.exe
File created C:\Windows\system32\drivers\etc\hosts iexplore.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
51	4444	cmd.exe

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	exp.exe
File created	C:\Windows\system32\drivers\etc\hosts	iexplore.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

viaversion.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	viaversion.exe

Deletes itself 1 IoCs

Processes:

powershell.exe

pid process

3128 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

exp.exeiexplore.exe

pid process

1092 exp.exe
1256 iexplore.exe

pid	process
1092	exp.exe
1256	iexplore.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral4/memory/4444-148-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/4444-149-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/4444-150-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/4444-151-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/4444-152-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/4444-153-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/4444-154-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/4444-156-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/4444-157-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/4444-158-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/4444-159-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/4444-160-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/4444-162-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral4/memory/4444-163-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

Processes:

exp.exepowershell.exeiexplore.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MRT.exe	exp.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	iexplore.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 1256 set thread context of 1804	1256	iexplore.exe	conhost.exe
PID 1256 set thread context of 4444	1256	iexplore.exe	cmd.exe

Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

3132 sc.exe
3696 sc.exe
776 sc.exe
4972 sc.exe
3472 sc.exe
2936 sc.exe
656 sc.exe
2456 sc.exe
2920 sc.exe
712 sc.exe
4468 sc.exe
4888 sc.exe
5084 sc.exe
1352 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3132	sc.exe
3696	sc.exe
776	sc.exe
4972	sc.exe
3472	sc.exe
2936	sc.exe
656	sc.exe
2456	sc.exe
2920	sc.exe
712	sc.exe
4468	sc.exe
4888	sc.exe
5084	sc.exe
1352	sc.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe

Modifies registry class 1 IoCs

Processes:

viaversion.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ viaversion.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	viaversion.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeexp.exepowershell.exeiexplore.exepowershell.execmd.exe

pid	process
3128	powershell.exe
3128	powershell.exe
3128	powershell.exe
1092	exp.exe
1600	powershell.exe
1600	powershell.exe
1600	powershell.exe
1092	exp.exe
1092	exp.exe
1092	exp.exe
1092	exp.exe
1092	exp.exe
1092	exp.exe
1092	exp.exe
1092	exp.exe
1092	exp.exe
1092	exp.exe
1092	exp.exe
1092	exp.exe
1092	exp.exe
1092	exp.exe
1092	exp.exe
1256	iexplore.exe
1784	powershell.exe
1784	powershell.exe
1784	powershell.exe
1256	iexplore.exe
1256	iexplore.exe
1256	iexplore.exe
1256	iexplore.exe
1256	iexplore.exe
1256	iexplore.exe
1256	iexplore.exe
1256	iexplore.exe
1256	iexplore.exe
1256	iexplore.exe
1256	iexplore.exe
1256	iexplore.exe
4444	cmd.exe
4444	cmd.exe
4444	cmd.exe
4444	cmd.exe
4444	cmd.exe
4444	cmd.exe
4444	cmd.exe
4444	cmd.exe
4444	cmd.exe
4444	cmd.exe
4444	cmd.exe
4444	cmd.exe
4444	cmd.exe
4444	cmd.exe
4444	cmd.exe
4444	cmd.exe
4444	cmd.exe
4444	cmd.exe
4444	cmd.exe
4444	cmd.exe
4444	cmd.exe
4444	cmd.exe
4444	cmd.exe
4444	cmd.exe
4444	cmd.exe
4444	cmd.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

672

pid	process
672

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

powershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execmd.exe

description	pid	process
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeShutdownPrivilege	4876	powercfg.exe
Token: SeCreatePagefilePrivilege	4876	powercfg.exe
Token: SeShutdownPrivilege	3908	powercfg.exe
Token: SeCreatePagefilePrivilege	3908	powercfg.exe
Token: SeShutdownPrivilege	1492	powercfg.exe
Token: SeCreatePagefilePrivilege	1492	powercfg.exe
Token: SeShutdownPrivilege	4468	powercfg.exe
Token: SeCreatePagefilePrivilege	4468	powercfg.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeShutdownPrivilege	888	powercfg.exe
Token: SeCreatePagefilePrivilege	888	powercfg.exe
Token: SeShutdownPrivilege	1884	powercfg.exe
Token: SeCreatePagefilePrivilege	1884	powercfg.exe
Token: SeShutdownPrivilege	3532	powercfg.exe
Token: SeCreatePagefilePrivilege	3532	powercfg.exe
Token: SeShutdownPrivilege	2732	powercfg.exe
Token: SeCreatePagefilePrivilege	2732	powercfg.exe
Token: SeLockMemoryPrivilege	4444	cmd.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

viaversion.execmd.execmd.execmd.exeiexplore.exe

description	pid	process	target process
PID 216 wrote to memory of 1092	216	viaversion.exe	exp.exe
PID 216 wrote to memory of 1092	216	viaversion.exe	exp.exe
PID 216 wrote to memory of 3128	216	viaversion.exe	powershell.exe
PID 216 wrote to memory of 3128	216	viaversion.exe	powershell.exe
PID 4576 wrote to memory of 1900	4576	cmd.exe	wusa.exe
PID 4576 wrote to memory of 1900	4576	cmd.exe	wusa.exe
PID 1448 wrote to memory of 4516	1448	cmd.exe	choice.exe
PID 1448 wrote to memory of 4516	1448	cmd.exe	choice.exe
PID 964 wrote to memory of 4380	964	cmd.exe	wusa.exe
PID 964 wrote to memory of 4380	964	cmd.exe	wusa.exe
PID 1256 wrote to memory of 1804	1256	iexplore.exe	conhost.exe
PID 1256 wrote to memory of 1804	1256	iexplore.exe	conhost.exe
PID 1256 wrote to memory of 1804	1256	iexplore.exe	conhost.exe
PID 1256 wrote to memory of 1804	1256	iexplore.exe	conhost.exe
PID 1256 wrote to memory of 1804	1256	iexplore.exe	conhost.exe
PID 1256 wrote to memory of 1804	1256	iexplore.exe	conhost.exe
PID 1256 wrote to memory of 1804	1256	iexplore.exe	conhost.exe
PID 1256 wrote to memory of 1804	1256	iexplore.exe	conhost.exe
PID 1256 wrote to memory of 1804	1256	iexplore.exe	conhost.exe
PID 1256 wrote to memory of 4444	1256	iexplore.exe	cmd.exe
PID 1256 wrote to memory of 4444	1256	iexplore.exe	cmd.exe
PID 1256 wrote to memory of 4444	1256	iexplore.exe	cmd.exe
PID 1256 wrote to memory of 4444	1256	iexplore.exe	cmd.exe
PID 1256 wrote to memory of 4444	1256	iexplore.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\viaversion.exe
"C:\Users\Admin\AppData\Local\Temp\viaversion.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:216
- C:\ProgramData\exp.exe
  "C:\ProgramData\exp.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1092
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:1900
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5084
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:656
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2456
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:3696
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:776
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4468
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3908
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4876
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1492
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "Internet"
    3⤵
    - Launches sc.exe
    PID:2920
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "Internet" binpath= "C:\ProgramData\SIGNUP\iexplore.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:4972
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:3472
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "Internet"
    3⤵
    - Launches sc.exe
    PID:2936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\ProgramData\exp.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1448
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:4516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $file='C:\Users\Admin\AppData\Local\Temp\viaversion.exe';for($i=1;$i -le 600 -and (Test-Path $file -PathType leaf);$i++){Remove-Item $file;Start-Sleep -m 100}
  2⤵
  - Deletes itself
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3128

C:\ProgramData\SIGNUP\iexplore.exe
C:\ProgramData\SIGNUP\iexplore.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4380
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:712
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4468
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:3132
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1352
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:4888
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:888
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1884
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3532
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1804
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1044 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:8
1⤵
PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\exp.exe

Filesize
2.6MB

MD5
f5c15551ae543825dd17bb5f980e2086

SHA1
834514365d7c5ae754f0f63a03a850af033fb0ea

SHA256
07885504a2dcdc459a49de938ac29963996681f99d60bbcfa64f4c92cc30f417

SHA512
9d9576185bcc407bd96269bdb6033634fed0e60f3dce297ebed5d1e84caff7c5cbd6d6f5c623a6b896b0104ca1a04917b39808ff36825249535a706cf1bd2ba2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
27d71b9b7e7cad0128d1c05055dd26be

SHA1
8db2aca0059cf1d600c733026f99b6cd915a52bb

SHA256
a957e0eb587d081d4539ba6cb9d997b27ecf3ad44a75e6a82db6095932faadb2

SHA512
dc234fb5ac7566e9c8cda687d2d8e87645cc047a06004cde9801bc91c42148f0c4a7bf18d62fa07410182c8c216a30c06a04f3ab9003b1ac335a0878478d4315

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ti1eg2n5.1ia.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
2082b195c152af46507ecfa80955b64b

SHA1
ac4164f48a10fdc59e8249f98be3771a0186eee6

SHA256
2534e6e3246d38c1aaeefbb72beed327e4cd430432293b508dcc23404e15eeae

SHA512
3636baebbd311b2e3f144dfe1c42ea6e4509cfe27251bf4efa96fc12f16e8ac6ee32f0239955a7f36b1bd7f53df35ec7758390fb20e4912ae747db3a2e11bf32

Download Submit
memory/216-3-0x000000001BDD0000-0x000000001BDE0000-memory.dmp

Filesize
64KB

Download
memory/216-2-0x000000001C370000-0x000000001C58E000-memory.dmp

Filesize
2.1MB

Download
memory/216-65-0x00007FFB6F2F0000-0x00007FFB6FDB1000-memory.dmp

Filesize
10.8MB

Download
memory/216-1-0x00007FFB6F2F0000-0x00007FFB6FDB1000-memory.dmp

Filesize
10.8MB

Download
memory/216-0-0x0000000000160000-0x0000000000382000-memory.dmp

Filesize
2.1MB

Download
memory/1600-93-0x00007FFB6EB90000-0x00007FFB6F651000-memory.dmp

Filesize
10.8MB

Download
memory/1600-94-0x000001551D580000-0x000001551D590000-memory.dmp

Filesize
64KB

Download
memory/1600-98-0x00007FFB6EB90000-0x00007FFB6F651000-memory.dmp

Filesize
10.8MB

Download
memory/1600-95-0x000001551D580000-0x000001551D590000-memory.dmp

Filesize
64KB

Download
memory/1784-133-0x000001CEAD520000-0x000001CEAD52A000-memory.dmp

Filesize
40KB

Download
memory/1784-134-0x000001CE94820000-0x000001CE94830000-memory.dmp

Filesize
64KB

Download
memory/1784-103-0x00007FFB6EBE0000-0x00007FFB6F6A1000-memory.dmp

Filesize
10.8MB

Download
memory/1784-113-0x000001CE94820000-0x000001CE94830000-memory.dmp

Filesize
64KB

Download
memory/1784-114-0x000001CE94820000-0x000001CE94830000-memory.dmp

Filesize
64KB

Download
memory/1784-115-0x00007FF48C840000-0x00007FF48C850000-memory.dmp

Filesize
64KB

Download
memory/1784-125-0x000001CEAD2A0000-0x000001CEAD2BC000-memory.dmp

Filesize
112KB

Download
memory/1784-126-0x000001CEAD2C0000-0x000001CEAD375000-memory.dmp

Filesize
724KB

Download
memory/1784-127-0x000001CEAD380000-0x000001CEAD38A000-memory.dmp

Filesize
40KB

Download
memory/1784-128-0x000001CEAD4F0000-0x000001CEAD50C000-memory.dmp

Filesize
112KB

Download
memory/1784-129-0x000001CEAD4D0000-0x000001CEAD4DA000-memory.dmp

Filesize
40KB

Download
memory/1784-130-0x000001CEAD530000-0x000001CEAD54A000-memory.dmp

Filesize
104KB

Download
memory/1784-131-0x000001CEAD4E0000-0x000001CEAD4E8000-memory.dmp

Filesize
32KB

Download
memory/1784-132-0x000001CEAD510000-0x000001CEAD516000-memory.dmp

Filesize
24KB

Download
memory/1784-137-0x00007FFB6EBE0000-0x00007FFB6F6A1000-memory.dmp

Filesize
10.8MB

Download
memory/1804-147-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1804-140-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1804-141-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1804-142-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1804-144-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1804-143-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3128-67-0x00000249FAE50000-0x00000249FAE60000-memory.dmp

Filesize
64KB

Download
memory/3128-66-0x00007FFB6F2F0000-0x00007FFB6FDB1000-memory.dmp

Filesize
10.8MB

Download
memory/3128-68-0x00000249FAE50000-0x00000249FAE60000-memory.dmp

Filesize
64KB

Download
memory/3128-74-0x00000249FAE90000-0x00000249FAEB2000-memory.dmp

Filesize
136KB

Download
memory/3128-79-0x00000249FAE50000-0x00000249FAE60000-memory.dmp

Filesize
64KB

Download
memory/3128-82-0x00007FFB6F2F0000-0x00007FFB6FDB1000-memory.dmp

Filesize
10.8MB

Download
memory/4444-151-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4444-157-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4444-150-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4444-148-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4444-152-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4444-153-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4444-154-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4444-155-0x0000028394CD0000-0x0000028394CF0000-memory.dmp

Filesize
128KB

Download
memory/4444-156-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4444-149-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4444-158-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4444-159-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4444-160-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4444-161-0x00000283954E0000-0x0000028395520000-memory.dmp

Filesize
256KB

Download
memory/4444-162-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4444-163-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4444-164-0x0000028394F50000-0x0000028394F70000-memory.dmp

Filesize
128KB

Download
memory/4444-165-0x0000028394F50000-0x0000028394F70000-memory.dmp

Filesize
128KB

Download