phorphiex | 4b332741c9b18814b397445cf93d10515ca4d2b95fde05686e6583a42de37fc3

General

Target

85b28f9c06352d426df83b6f25a957f3_JaffaCakes118.exe
Size

451KB
MD5

85b28f9c06352d426df83b6f25a957f3
SHA1

d11ed3bee7fef2d60b6de1fbc539ef4d2c9265e9
SHA256

4b332741c9b18814b397445cf93d10515ca4d2b95fde05686e6583a42de37fc3
SHA512

370361dc0fee6f1aeea25fc1af732d4971ee1aee6d7de188c01b587c3135f0801b88ae6258ada95a397ecbc3bfa9b2087728bf5887580b0c41656c0b044e5435
SSDEEP

12288:wtQsjr1agUc7iGBDZyRrvgpTsdiIhSSyE/24v99P:a9jrQQuGirgp4diIhiPmH

Score

10^/10

phorphiex xmrig evasion loader miner persistence trojan worm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

Wallets

0xAa3ea4838e8E3F6a1922c6B67E3cD6efD1ff175b

THRUoPK7oYqF7YyKZJvPYwTH35JsPZVPto

1Hw9tx4KyTq4oRoLVhPb4hjDJcLhEa4Tn6

qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

XtxFdsKkRN3oVDXtN2ipcHeNi87basT2sL

LXMNcn9D8FQKzGNLjdSyR9dEM8Rsh9NzyX

rwn7tb5KQjXEjH42GgdHWHec5PPhVgqhSH

ARML6g7zynrwUHJbFJCCzMPiysUFXYBGgQ

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

3PL7YCa4akNYzuScqQwiSbtTP9q9E9PLreC

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

D9AJWrbYsidS9rAU146ifLRu1fzX9oQYSH

t1gvVWHnjbGTsoWXEyoTFojc2GqEzBgvbEn

bnb1cgttf7t5hu7ud3c436ufhcmy59qnkd09adqczd

bc1q0fusmmgycnhsd5cadsuz2hk8d4maausjfjypqg

bitcoincash:qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

GAUCC7ZBSU2KJMHXOZD6AP5LOBGKNDPCDNRYP2CO2ACR63YCSUBNT5QE

Signatures

Phorphiex
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Phorphiex payload 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\3047911394.exe	family_phorphiex

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

1162928210.exewupgrdsv.exe

description	pid	process	target process
PID 1876 created 1240	1876	1162928210.exe	Explorer.EXE
PID 1876 created 1240	1876	1162928210.exe	Explorer.EXE
PID 2996 created 1240	2996	wupgrdsv.exe	Explorer.EXE
PID 2996 created 1240	2996	wupgrdsv.exe	Explorer.EXE

Windows security bypass 2 TTPs 18 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

3047911394.exesylsplvc.exe197762774.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	3047911394.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	3047911394.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	3047911394.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	197762774.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	197762774.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	3047911394.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	197762774.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	197762774.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	197762774.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	3047911394.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	3047911394.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	197762774.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2996-131-0x000000013F3F0000-0x000000013F966000-memory.dmp	xmrig
behavioral1/memory/2936-134-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2936-135-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig

Downloads MZ/PE file

Executes dropped EXE 9 IoCs

Processes:

4B91.exesylsplvc.exe3047911394.exe197762774.exe211009282.exe1027232614.exe129495455.exe1162928210.exewupgrdsv.exe

pid	process
2484	4B91.exe
2624	sylsplvc.exe
2412	3047911394.exe
484	197762774.exe
2824	211009282.exe
2084	1027232614.exe
2228	129495455.exe
1876	1162928210.exe
2996	wupgrdsv.exe

Loads dropped DLL 11 IoCs

Processes:

85b28f9c06352d426df83b6f25a957f3_JaffaCakes118.exesylsplvc.exe197762774.exe129495455.exetaskeng.exe

pid	process
2884	85b28f9c06352d426df83b6f25a957f3_JaffaCakes118.exe
2884	85b28f9c06352d426df83b6f25a957f3_JaffaCakes118.exe
2624	sylsplvc.exe
2624	sylsplvc.exe
2624	sylsplvc.exe
484	197762774.exe
484	197762774.exe
484	197762774.exe
484	197762774.exe
2228	129495455.exe
2604	taskeng.exe

Windows security modification 2 TTPs 21 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sylsplvc.exe3047911394.exe197762774.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	3047911394.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	197762774.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	197762774.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	197762774.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	197762774.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	3047911394.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	3047911394.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	3047911394.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	3047911394.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	197762774.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	197762774.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	3047911394.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	197762774.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	3047911394.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4B91.exe3047911394.exe197762774.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sylsplvc.exe"	4B91.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Windows\\winknavrso.exe"	3047911394.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Users\\Admin\\winknavrso.exe"	3047911394.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysdinrdvs.exe"	197762774.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysdinrdvs.exe"	197762774.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

wupgrdsv.exe

description pid process target process

PID 2996 set thread context of 2936 2996 wupgrdsv.exe notepad.exe

description	pid	process	target process
PID 2996 set thread context of 2936	2996	wupgrdsv.exe	notepad.exe

Drops file in Windows directory 6 IoCs

Processes:

3047911394.exe197762774.exe4B91.exe

description	ioc	process
File created	C:\Windows\winknavrso.exe	3047911394.exe
File opened for modification	C:\Windows\winknavrso.exe	3047911394.exe
File created	C:\Windows\sysdinrdvs.exe	197762774.exe
File opened for modification	C:\Windows\sysdinrdvs.exe	197762774.exe
File created	C:\Windows\sylsplvc.exe	4B91.exe
File opened for modification	C:\Windows\sylsplvc.exe	4B91.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2536 schtasks.exe
2392 schtasks.exe

pid	process
2536	schtasks.exe
2392	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

1162928210.exepowershell.exewupgrdsv.exepowershell.exe

pid	process
1876	1162928210.exe
1876	1162928210.exe
2964	powershell.exe
1876	1162928210.exe
1876	1162928210.exe
2996	wupgrdsv.exe
2996	wupgrdsv.exe
3000	powershell.exe
2996	wupgrdsv.exe
2996	wupgrdsv.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464
Suspicious behavior: SetClipboardViewer 2 IoCs

Processes:

3047911394.exe197762774.exe

pid process

2412 3047911394.exe
484 197762774.exe

pid	process
464

pid	process
2412	3047911394.exe
484	197762774.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exenotepad.exe

description	pid	process
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeLockMemoryPrivilege	2936	notepad.exe
Token: SeLockMemoryPrivilege	2936	notepad.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

notepad.exe

pid	process
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe

Suspicious use of SendNotifyMessage 25 IoCs

Processes:

notepad.exe

pid	process
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe
2936	notepad.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

85b28f9c06352d426df83b6f25a957f3_JaffaCakes118.exe4B91.exesylsplvc.exe197762774.exe129495455.exepowershell.exetaskeng.exepowershell.exewupgrdsv.exe

description	pid	process	target process
PID 2884 wrote to memory of 2484	2884	85b28f9c06352d426df83b6f25a957f3_JaffaCakes118.exe	4B91.exe
PID 2884 wrote to memory of 2484	2884	85b28f9c06352d426df83b6f25a957f3_JaffaCakes118.exe	4B91.exe
PID 2884 wrote to memory of 2484	2884	85b28f9c06352d426df83b6f25a957f3_JaffaCakes118.exe	4B91.exe
PID 2884 wrote to memory of 2484	2884	85b28f9c06352d426df83b6f25a957f3_JaffaCakes118.exe	4B91.exe
PID 2484 wrote to memory of 2624	2484	4B91.exe	sylsplvc.exe
PID 2484 wrote to memory of 2624	2484	4B91.exe	sylsplvc.exe
PID 2484 wrote to memory of 2624	2484	4B91.exe	sylsplvc.exe
PID 2484 wrote to memory of 2624	2484	4B91.exe	sylsplvc.exe
PID 2624 wrote to memory of 2412	2624	sylsplvc.exe	3047911394.exe
PID 2624 wrote to memory of 2412	2624	sylsplvc.exe	3047911394.exe
PID 2624 wrote to memory of 2412	2624	sylsplvc.exe	3047911394.exe
PID 2624 wrote to memory of 2412	2624	sylsplvc.exe	3047911394.exe
PID 2624 wrote to memory of 484	2624	sylsplvc.exe	197762774.exe
PID 2624 wrote to memory of 484	2624	sylsplvc.exe	197762774.exe
PID 2624 wrote to memory of 484	2624	sylsplvc.exe	197762774.exe
PID 2624 wrote to memory of 484	2624	sylsplvc.exe	197762774.exe
PID 484 wrote to memory of 2824	484	197762774.exe	211009282.exe
PID 484 wrote to memory of 2824	484	197762774.exe	211009282.exe
PID 484 wrote to memory of 2824	484	197762774.exe	211009282.exe
PID 484 wrote to memory of 2824	484	197762774.exe	211009282.exe
PID 484 wrote to memory of 2084	484	197762774.exe	1027232614.exe
PID 484 wrote to memory of 2084	484	197762774.exe	1027232614.exe
PID 484 wrote to memory of 2084	484	197762774.exe	1027232614.exe
PID 484 wrote to memory of 2084	484	197762774.exe	1027232614.exe
PID 484 wrote to memory of 2228	484	197762774.exe	129495455.exe
PID 484 wrote to memory of 2228	484	197762774.exe	129495455.exe
PID 484 wrote to memory of 2228	484	197762774.exe	129495455.exe
PID 484 wrote to memory of 2228	484	197762774.exe	129495455.exe
PID 2228 wrote to memory of 1876	2228	129495455.exe	1162928210.exe
PID 2228 wrote to memory of 1876	2228	129495455.exe	1162928210.exe
PID 2228 wrote to memory of 1876	2228	129495455.exe	1162928210.exe
PID 2228 wrote to memory of 1876	2228	129495455.exe	1162928210.exe
PID 2964 wrote to memory of 2536	2964	powershell.exe	schtasks.exe
PID 2964 wrote to memory of 2536	2964	powershell.exe	schtasks.exe
PID 2964 wrote to memory of 2536	2964	powershell.exe	schtasks.exe
PID 2604 wrote to memory of 2996	2604	taskeng.exe	wupgrdsv.exe
PID 2604 wrote to memory of 2996	2604	taskeng.exe	wupgrdsv.exe
PID 2604 wrote to memory of 2996	2604	taskeng.exe	wupgrdsv.exe
PID 3000 wrote to memory of 2392	3000	powershell.exe	schtasks.exe
PID 3000 wrote to memory of 2392	3000	powershell.exe	schtasks.exe
PID 3000 wrote to memory of 2392	3000	powershell.exe	schtasks.exe
PID 2996 wrote to memory of 2936	2996	wupgrdsv.exe	notepad.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1240

C:\Users\Admin\AppData\Local\Temp\85b28f9c06352d426df83b6f25a957f3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\85b28f9c06352d426df83b6f25a957f3_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884

C:\Users\Admin\AppData\Local\Temp\4B91.exe
"C:\Users\Admin\AppData\Local\Temp\4B91.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\sylsplvc.exe
C:\Windows\sylsplvc.exe
4⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:2624

C:\Users\Admin\AppData\Local\Temp\3047911394.exe
C:\Users\Admin\AppData\Local\Temp\3047911394.exe
5⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: SetClipboardViewer
PID:2412

C:\Users\Admin\AppData\Local\Temp\197762774.exe
C:\Users\Admin\AppData\Local\Temp\197762774.exe
5⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: SetClipboardViewer
- Suspicious use of WriteProcessMemory
PID:484

C:\Users\Admin\AppData\Local\Temp\211009282.exe
C:\Users\Admin\AppData\Local\Temp\211009282.exe
6⤵
- Executes dropped EXE
PID:2824

C:\Users\Admin\AppData\Local\Temp\1027232614.exe
C:\Users\Admin\AppData\Local\Temp\1027232614.exe
6⤵
- Executes dropped EXE
PID:2084

C:\Users\Admin\AppData\Local\Temp\129495455.exe
C:\Users\Admin\AppData\Local\Temp\129495455.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228

C:\Users\Admin\AppData\Local\Temp\1162928210.exe
C:\Users\Admin\AppData\Local\Temp\1162928210.exe
7⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"
3⤵
- Creates scheduled task(s)
PID:2536

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
2⤵
PID:2520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"
3⤵
- Creates scheduled task(s)
PID:2392

C:\Windows\System32\notepad.exe
C:\Windows\System32\notepad.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2936

C:\Windows\system32\taskeng.exe
taskeng.exe {A4E6FFC7-5F5F-4E13-AB0F-3B95E6E2A2F9} S-1-5-21-3787592910-3720486031-2929222812-1000:HSNHLVYA\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604

C:\Users\Admin\Windows Upgrade\wupgrdsv.exe
"C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HQQVSTWU\2[1]
Filesize
84KB

MD5
b464b1ac75172e05db725d17b9bb9044

SHA1
cc8689ef9f70be7210520bd68b9767e3c6f1e363

SHA256
c1b2b4d052f98028e6b32955ed052881591bbaa57f11279b7745cc26566f8268

SHA512
9adab953f44c68cd0eb37873a51d18827a06bf4d99d4d354053e16bd4c3bb272b9c9290cc4190919f9d89bfe6d304546ddffc460f8ee2ed8e75a9bd3e13294e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XJ0RD6PK\1[1]
Filesize
23KB

MD5
07d8d1886e9515653645a06317888a14

SHA1
50efdfb1b292bb28b9177e19e898d8b4ec59ec09

SHA256
4ecc3858eb5f437af29b9a7ed8fce1b2b6650573f06df09e551e77b1e599195b

SHA512
09d51a4ddb2d7e772547f5af7987cbd79c907b5cdcb13e6e3562d81a1a097c3a38f9f1b7c6b98ca81687990dcefdccb2b025ce2b253981dd94ecb554184e6894

Download Submit
C:\Users\Admin\AppData\Local\Temp\1162928210.exe
Filesize
5.4MB

MD5
41ab08c1955fce44bfd0c76a64d1945a

SHA1
2b9cb05f4de5d98c541d15175d7f0199cbdd0eea

SHA256
dd12cb27b3867341bf6ca48715756500d3ec56c19b21bb1c1290806aa74cb493

SHA512
38834ae703a8541b4fec9a1db94cfe296ead58649bb1d4873b517df14d0c6a9d25e49ff04c2bf6bb0188845116a4e894aae930d849f9be8c98d2ce51da1ef116

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
8b91048256828a4e0ddb0095ec4a7c48

SHA1
547a4a90a02ef3eda43fabd0e56e803040f25ac9

SHA256
92530a468a452d598a7533fe9f4b8291d9903921245b760e9a6f5ed598e97b38

SHA512
6d7c2ddb3f006ea8468384301e416623f6de5387036f6f8a584dbab8a1548117bfca3c477b48caa6e989073c8c209dc603d9c42507f96133727547c89324184d

Download Submit
\Users\Admin\AppData\Local\Temp\129495455.exe
Filesize
6KB

MD5
0d539e8277f20391a31babff8714fdb0

SHA1
a4e63870aa5fd258dde4f02be70732c27f556fa9

SHA256
669035f4f05fe6ffc7722987c41f802f3a11298cb3a154b00c4e76df2ae5fe32

SHA512
700ff1733a064ddda80c0ac4702e50a8c0ddd97f154ff894f89d16603c02076a13e1a93ca51224579898cdf69e560a69dff60d4f5e26a479e74a3e3350f822ff

Download Submit
\Users\Admin\AppData\Local\Temp\197762774.exe
Filesize
84KB

MD5
41d55c23d79fc0c0c322db16c6ce6af8

SHA1
e4bbdf2a983a11975a7ab6dcba41cb60676ec780

SHA256
93f3f99a6d6dc69b907a3da8596bd850c1e3ce53be9bf1c6edfdb00e90579e6f

SHA512
06680eb47802659dc2e28cd9a839052a8536112056db49f7179f1b53cf2dba0e9cfd9d8bbdeb446ecb8a2f4a58f7b0f100d0526660d4afd8540a4db091cf621f

Download Submit
\Users\Admin\AppData\Local\Temp\3047911394.exe
Filesize
23KB

MD5
9d2b22562b9a3958dfd7e6e6fa7bd66f

SHA1
1941c24958ac09cf518f4124225b2d0b5d874cf0

SHA256
84daa9d52f759af343741880a3b66a3abb886310de7f552743d99e69741c6450

SHA512
8c0b54e01f62207edaaf8f967fe83eacd3e278660c1764feb3fde68bfd376ba875012849f969d8b5922bd6b791a231bf75dc76eade227e2fd25f4791163d9dd1

Download Submit
\Users\Admin\AppData\Local\Temp\4B91.exe
Filesize
79KB

MD5
1e8a2ed2e3f35620fb6b8c2a782a57f3

SHA1
e924ce6d147ecc8b30b7c7cad02e5c9ae09a743a

SHA256
3f16f4550826076b2c8cd7b392ee649aeb06740328658a2d30c3d2002c6b7879

SHA512
ce4dc7fdd7f81a7a127d650f9175292b287b4803d815d74b64a4e5125cff66224d75e7ecade1d9c0e42f870bdb49a78e9613b1a49675ab5bc098611b99b49ade

Download Submit
memory/1876-111-0x000000013F600000-0x000000013FB76000-memory.dmp

Filesize
5.5MB

Download
memory/2936-136-0x0000000002100000-0x0000000002120000-memory.dmp

Filesize
128KB

Download
memory/2936-135-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2936-134-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2936-133-0x0000000002100000-0x0000000002120000-memory.dmp

Filesize
128KB

Download
memory/2936-132-0x00000000001C0000-0x00000000001E0000-memory.dmp

Filesize
128KB

Download
memory/2964-101-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download
memory/2964-105-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/2964-107-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/2964-106-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/2964-100-0x000000001B240000-0x000000001B522000-memory.dmp

Filesize
2.9MB

Download
memory/2964-108-0x000007FEF5AD0000-0x000007FEF646D000-memory.dmp

Filesize
9.6MB

Download
memory/2964-102-0x000007FEF5AD0000-0x000007FEF646D000-memory.dmp

Filesize
9.6MB

Download
memory/2964-103-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/2964-104-0x000007FEF5AD0000-0x000007FEF646D000-memory.dmp

Filesize
9.6MB

Download
memory/2996-131-0x000000013F3F0000-0x000000013F966000-memory.dmp

Filesize
5.5MB

Download
memory/3000-121-0x0000000001D30000-0x0000000001D38000-memory.dmp

Filesize
32KB

Download
memory/3000-127-0x00000000025B0000-0x0000000002630000-memory.dmp

Filesize
512KB

Download
memory/3000-128-0x000007FEF5130000-0x000007FEF5ACD000-memory.dmp

Filesize
9.6MB

Download
memory/3000-126-0x00000000025B0000-0x0000000002630000-memory.dmp

Filesize
512KB

Download
memory/3000-125-0x00000000025B0000-0x0000000002630000-memory.dmp

Filesize
512KB

Download
memory/3000-124-0x000007FEF5130000-0x000007FEF5ACD000-memory.dmp

Filesize
9.6MB

Download
memory/3000-123-0x00000000025B0000-0x0000000002630000-memory.dmp

Filesize
512KB

Download
memory/3000-122-0x000007FEF5130000-0x000007FEF5ACD000-memory.dmp

Filesize
9.6MB

Download
memory/3000-120-0x000000001B390000-0x000000001B672000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads