phorphiex | 0549d4e5d930015a66797a046bb931f3266d3a1da327891913b9b04e44c95eeb

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-04-2024 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0549d4e5d930015a66797a046bb931f3266d3a1da327891913b9b04e44c95eeb.exe
Size

28KB
MD5

adb54611fc170de9e86d31181e567db4
SHA1

a0a7a7cff0904b406c4304a3f0e4d1436abf6a5c
SHA256

0549d4e5d930015a66797a046bb931f3266d3a1da327891913b9b04e44c95eeb
SHA512

0ed78e809d51ef88211f275021cbba1e843cba4a22354d4cd95d5b373e3d064eddafcf1b1239acb7064e311736ba67c1eae9800e2120d0764a7a659bd9b1e0f8
SSDEEP

384:j5RIDVmZ6zWTmydlSAw5dTxJjWOav8U9c2yweeeeeeeeWeeeee9MMp8pIP:DYijIAWdr9a0UFTeeeeeeeeWeeeee7P

Score

10^/10

phorphiex xmrig evasion loader miner persistence trojan worm

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv

rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw

bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3

bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

12233550.exe268024160.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	12233550.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	268024160.exe

Phorphiex
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

2200429360.exewupgrdsv.exe

description	pid	process	target process
PID 860 created 1200	860	2200429360.exe	Explorer.EXE
PID 860 created 1200	860	2200429360.exe	Explorer.EXE
PID 756 created 1200	756	wupgrdsv.exe	Explorer.EXE
PID 756 created 1200	756	wupgrdsv.exe	Explorer.EXE

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

12233550.exe268024160.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	12233550.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	12233550.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	12233550.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	12233550.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	268024160.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	268024160.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	268024160.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	12233550.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	12233550.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	268024160.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	268024160.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	268024160.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/756-167-0x000000013FC70000-0x00000001401E6000-memory.dmp	xmrig
behavioral1/memory/2796-170-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig

Downloads MZ/PE file

Executes dropped EXE 11 IoCs

Processes:

8C19.exe12233550.exe75868734.exe1338232779.exe268024160.exe2075332195.exe2655023471.exe219214699.exe43026400.exe2200429360.exewupgrdsv.exe

pid	process
2156	8C19.exe
2584	12233550.exe
564	75868734.exe
2492	1338232779.exe
1292	268024160.exe
2164	2075332195.exe
2028	2655023471.exe
2240	219214699.exe
2552	43026400.exe
860	2200429360.exe
756	wupgrdsv.exe

Loads dropped DLL 14 IoCs

Processes:

0549d4e5d930015a66797a046bb931f3266d3a1da327891913b9b04e44c95eeb.exe8C19.exe12233550.exe268024160.exe43026400.exetaskeng.exe

pid	process
2508	0549d4e5d930015a66797a046bb931f3266d3a1da327891913b9b04e44c95eeb.exe
2156	8C19.exe
2156	8C19.exe
2584	12233550.exe
2584	12233550.exe
2584	12233550.exe
2584	12233550.exe
1292	268024160.exe
1292	268024160.exe
1292	268024160.exe
1292	268024160.exe
2584	12233550.exe
2552	43026400.exe
2656	taskeng.exe

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

268024160.exe12233550.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	268024160.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	268024160.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	268024160.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	12233550.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	12233550.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	268024160.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	268024160.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	12233550.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	12233550.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	268024160.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	12233550.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	12233550.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	12233550.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	268024160.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

12233550.exe268024160.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\systrlvnxs.exe"	12233550.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\systrlvnxs.exe"	12233550.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\systrvltns.exe"	268024160.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\systrvltns.exe"	268024160.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

wupgrdsv.exe

description pid process target process

PID 756 set thread context of 2796 756 wupgrdsv.exe notepad.exe

description	pid	process	target process
PID 756 set thread context of 2796	756	wupgrdsv.exe	notepad.exe

Drops file in Windows directory 4 IoCs

Processes:

12233550.exe268024160.exe

description	ioc	process
File created	C:\Windows\systrlvnxs.exe	12233550.exe
File opened for modification	C:\Windows\systrlvnxs.exe	12233550.exe
File created	C:\Windows\systrvltns.exe	268024160.exe
File opened for modification	C:\Windows\systrvltns.exe	268024160.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2412 schtasks.exe
1316 schtasks.exe

pid	process
2412	schtasks.exe
1316	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

2200429360.exepowershell.exewupgrdsv.exepowershell.exe

pid	process
860	2200429360.exe
860	2200429360.exe
1512	powershell.exe
860	2200429360.exe
860	2200429360.exe
756	wupgrdsv.exe
756	wupgrdsv.exe
1932	powershell.exe
756	wupgrdsv.exe
756	wupgrdsv.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

268024160.exe

pid process

1292 268024160.exe

pid	process
468

pid	process
1292	268024160.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exenotepad.exe

description	pid	process
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeLockMemoryPrivilege	2796	notepad.exe
Token: SeLockMemoryPrivilege	2796	notepad.exe

Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

notepad.exe

pid	process
2796	notepad.exe
2796	notepad.exe
2796	notepad.exe
2796	notepad.exe
2796	notepad.exe
2796	notepad.exe
2796	notepad.exe
2796	notepad.exe
2796	notepad.exe
2796	notepad.exe
2796	notepad.exe

Suspicious use of SendNotifyMessage 11 IoCs

Processes:

notepad.exe

pid	process
2796	notepad.exe
2796	notepad.exe
2796	notepad.exe
2796	notepad.exe
2796	notepad.exe
2796	notepad.exe
2796	notepad.exe
2796	notepad.exe
2796	notepad.exe
2796	notepad.exe
2796	notepad.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

0549d4e5d930015a66797a046bb931f3266d3a1da327891913b9b04e44c95eeb.exe8C19.exe12233550.exe268024160.exe43026400.exepowershell.exetaskeng.exepowershell.exewupgrdsv.exe

description	pid	process	target process
PID 2508 wrote to memory of 2156	2508	0549d4e5d930015a66797a046bb931f3266d3a1da327891913b9b04e44c95eeb.exe	8C19.exe
PID 2508 wrote to memory of 2156	2508	0549d4e5d930015a66797a046bb931f3266d3a1da327891913b9b04e44c95eeb.exe	8C19.exe
PID 2508 wrote to memory of 2156	2508	0549d4e5d930015a66797a046bb931f3266d3a1da327891913b9b04e44c95eeb.exe	8C19.exe
PID 2508 wrote to memory of 2156	2508	0549d4e5d930015a66797a046bb931f3266d3a1da327891913b9b04e44c95eeb.exe	8C19.exe
PID 2156 wrote to memory of 2584	2156	8C19.exe	12233550.exe
PID 2156 wrote to memory of 2584	2156	8C19.exe	12233550.exe
PID 2156 wrote to memory of 2584	2156	8C19.exe	12233550.exe
PID 2156 wrote to memory of 2584	2156	8C19.exe	12233550.exe
PID 2584 wrote to memory of 564	2584	12233550.exe	75868734.exe
PID 2584 wrote to memory of 564	2584	12233550.exe	75868734.exe
PID 2584 wrote to memory of 564	2584	12233550.exe	75868734.exe
PID 2584 wrote to memory of 564	2584	12233550.exe	75868734.exe
PID 2584 wrote to memory of 2492	2584	12233550.exe	1338232779.exe
PID 2584 wrote to memory of 2492	2584	12233550.exe	1338232779.exe
PID 2584 wrote to memory of 2492	2584	12233550.exe	1338232779.exe
PID 2584 wrote to memory of 2492	2584	12233550.exe	1338232779.exe
PID 2584 wrote to memory of 1292	2584	12233550.exe	268024160.exe
PID 2584 wrote to memory of 1292	2584	12233550.exe	268024160.exe
PID 2584 wrote to memory of 1292	2584	12233550.exe	268024160.exe
PID 2584 wrote to memory of 1292	2584	12233550.exe	268024160.exe
PID 1292 wrote to memory of 2164	1292	268024160.exe	2075332195.exe
PID 1292 wrote to memory of 2164	1292	268024160.exe	2075332195.exe
PID 1292 wrote to memory of 2164	1292	268024160.exe	2075332195.exe
PID 1292 wrote to memory of 2164	1292	268024160.exe	2075332195.exe
PID 1292 wrote to memory of 2028	1292	268024160.exe	2655023471.exe
PID 1292 wrote to memory of 2028	1292	268024160.exe	2655023471.exe
PID 1292 wrote to memory of 2028	1292	268024160.exe	2655023471.exe
PID 1292 wrote to memory of 2028	1292	268024160.exe	2655023471.exe
PID 1292 wrote to memory of 2240	1292	268024160.exe	219214699.exe
PID 1292 wrote to memory of 2240	1292	268024160.exe	219214699.exe
PID 1292 wrote to memory of 2240	1292	268024160.exe	219214699.exe
PID 1292 wrote to memory of 2240	1292	268024160.exe	219214699.exe
PID 2584 wrote to memory of 2552	2584	12233550.exe	43026400.exe
PID 2584 wrote to memory of 2552	2584	12233550.exe	43026400.exe
PID 2584 wrote to memory of 2552	2584	12233550.exe	43026400.exe
PID 2584 wrote to memory of 2552	2584	12233550.exe	43026400.exe
PID 2552 wrote to memory of 860	2552	43026400.exe	2200429360.exe
PID 2552 wrote to memory of 860	2552	43026400.exe	2200429360.exe
PID 2552 wrote to memory of 860	2552	43026400.exe	2200429360.exe
PID 2552 wrote to memory of 860	2552	43026400.exe	2200429360.exe
PID 1512 wrote to memory of 2412	1512	powershell.exe	schtasks.exe
PID 1512 wrote to memory of 2412	1512	powershell.exe	schtasks.exe
PID 1512 wrote to memory of 2412	1512	powershell.exe	schtasks.exe
PID 2656 wrote to memory of 756	2656	taskeng.exe	wupgrdsv.exe
PID 2656 wrote to memory of 756	2656	taskeng.exe	wupgrdsv.exe
PID 2656 wrote to memory of 756	2656	taskeng.exe	wupgrdsv.exe
PID 1932 wrote to memory of 1316	1932	powershell.exe	schtasks.exe
PID 1932 wrote to memory of 1316	1932	powershell.exe	schtasks.exe
PID 1932 wrote to memory of 1316	1932	powershell.exe	schtasks.exe
PID 756 wrote to memory of 2796	756	wupgrdsv.exe	notepad.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200
- C:\Users\Admin\AppData\Local\Temp\0549d4e5d930015a66797a046bb931f3266d3a1da327891913b9b04e44c95eeb.exe
  "C:\Users\Admin\AppData\Local\Temp\0549d4e5d930015a66797a046bb931f3266d3a1da327891913b9b04e44c95eeb.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Users\Admin\AppData\Local\Temp\8C19.exe
    "C:\Users\Admin\AppData\Local\Temp\8C19.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Users\Admin\AppData\Local\Temp\12233550.exe
      C:\Users\Admin\AppData\Local\Temp\12233550.exe
      4⤵
      Modifies security service
      Windows security bypass
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Users\Admin\AppData\Local\Temp\75868734.exe
        
        C:\Users\Admin\AppData\Local\Temp\75868734.exe
        5⤵
        Executes dropped EXE
        
        PID:564
    - - C:\Users\Admin\AppData\Local\Temp\1338232779.exe
        
        C:\Users\Admin\AppData\Local\Temp\1338232779.exe
        5⤵
        Executes dropped EXE
        
        PID:2492
    - - C:\Users\Admin\AppData\Local\Temp\268024160.exe
        
        C:\Users\Admin\AppData\Local\Temp\268024160.exe
        5⤵
        Modifies security service
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: SetClipboardViewer
        Suspicious use of WriteProcessMemory
        
        PID:1292
      - C:\Users\Admin\AppData\Local\Temp\2075332195.exe
        
        C:\Users\Admin\AppData\Local\Temp\2075332195.exe
        6⤵
        Executes dropped EXE
        
        PID:2164
      - C:\Users\Admin\AppData\Local\Temp\2655023471.exe
        
        C:\Users\Admin\AppData\Local\Temp\2655023471.exe
        6⤵
        Executes dropped EXE
        
        PID:2028
      - C:\Users\Admin\AppData\Local\Temp\219214699.exe
        
        C:\Users\Admin\AppData\Local\Temp\219214699.exe
        6⤵
        Executes dropped EXE
        
        PID:2240
    - - C:\Users\Admin\AppData\Local\Temp\43026400.exe
        
        C:\Users\Admin\AppData\Local\Temp\43026400.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2552
      - C:\Users\Admin\AppData\Local\Temp\2200429360.exe
        
        C:\Users\Admin\AppData\Local\Temp\2200429360.exe
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:2412
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
  2⤵
  PID:2156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:1316
- C:\Windows\System32\notepad.exe
  C:\Windows\System32\notepad.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2796

C:\Windows\system32\taskeng.exe
taskeng.exe {809DDBB6-B47E-4D64-99CF-B6FCB92F74D9} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Users\Admin\Windows Upgrade\wupgrdsv.exe
  "C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2075332195.exe

Filesize
8KB

MD5
2f070b82ebdbdd85642878dae67d9aff

SHA1
7ca4699de2f315d6637a42a8ad7cbeec76736584

SHA256
3f805c0097a0dbfc875ab0a16180d39bdc49de849687bc2906b15c2a0fefe2ab

SHA512
7a2e1babca20b28c82559104781a7c72db55cfa0ef52d2c1a76e9123ce9d000f140ef0959b4add53c342cb40b743bb013f69f5a0e9dc321a71835b8a9dd7a808

Download Submit
C:\Users\Admin\AppData\Local\Temp\49789700.exe

Filesize
86KB

MD5
fe1e93f12cca3f7c0c897ef2084e1778

SHA1
fb588491ddad8b24ea555a6a2727e76cec1fade3

SHA256
2ebc4a92f4fdc27d4ab56e57058575a8b18adb076cbd30feea2ecdc8b7fcd41f

SHA512
36e0524c465187ae9ad207c724aee45bcd61cfd3fa66a79f9434d24fcbadc0a743834d5e808e6041f3bd88e75deb5afd34193574f005ed97e4b17c6b0388cb93

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QCHEP64YUL5WUP0TWPO1.temp

Filesize
7KB

MD5
751ea052b88f207fe25592f171030660

SHA1
67d1e0787ab222c9afd0d51f390b2dc9bb6bc36c

SHA256
9d8f996ebce8fed24359e563661e601021f527d37deff72c0d0546600c95bf51

SHA512
6a5e08c7c67a535b53eaf9f2364e9e546c7351351ad69aaa23452ba4efd1ba26ac590ddfe19156baad2e2dc98b4533eac00eec696c717e27ff82553c5a88af6b

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
51f0c247ebb810e5a6fcfc306cb5ba39

SHA1
fc4a8c4c6ce9b891165d535f118c8fe01639f5bf

SHA256
e4c5c6f5a05d79729c401599cb938d1e1ac319d118b5b34ce1b210a53c09a84f

SHA512
366320cf19c7a04c8a4687a916abdcf9a48ba69c01a33915d95bbf5284ee55a8e3c252241898dae674679af87e3e888de358b3fc76740d3ca271735db943396d

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
79273b8dfe564d9010c3d81351a8223b

SHA1
975944e42af22342687b966be7439cfa72c43021

SHA256
d0669401c86f789ff22a0ee8087eaa2899caaeceed7587e61eab5e1c2d28683a

SHA512
1553b8567cc189a579dff983647f4f8755e2bedc41882cf13b433c93c7538530703768d622be1b646b24ebf4589a4fd01e3ffc72b204d6f403d67b8980a11203

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
d73cf76255ed3e90e72d98d28e8eddd3

SHA1
d58abac9bb8e4bb30cea4ef3ba7aa19186189fb5

SHA256
bfcb5f4589729deeeb57b92842933b144322a672cfe3ce11586f1aec83472781

SHA512
20ef064050ba23e5163435c595bc9c81422ca3b8ac82338ff965961a954bd9c0da9b13f489997015565908d1105784b712ccc2b3a478fe990e4b99e071bfa9b2

Download Submit
\Users\Admin\AppData\Local\Temp\12233550.exe

Filesize
78KB

MD5
efc57ed49a29d9c43f780ac57d9383ea

SHA1
6feb772dab15a7004cccefd6e77aa47cafbb89ed

SHA256
12a8944b51b66b76945d6e39e43d551bc242691bb03467db608f047c2d5a7749

SHA512
37f09dc9adf4b554d604f35ce7a4d5527acbe9d6d3b6cdcb7a81c5e4d06bc22131cb42a5c611abf9088b61a9ce7b01b64b5328401abaec73471d2555d3e1c9b3

Download Submit
\Users\Admin\AppData\Local\Temp\1338232779.exe

Filesize
9KB

MD5
0941af53968d11cd002f1844334f90bb

SHA1
d14e793ace957196184cb1532630c19f45a18738

SHA256
1330ad31cbee38ba83e8b4ffcdd8ac941b942c4abd2a5b8cd14c1778979e59c7

SHA512
8d1f2426442d17f915bd6dcac803442c390ff15e670fb6d1c50425be75383f1146680f9495a0e7ee84caf2f73989b89f20ff5d99e017be870edf5e13eea9db23

Download Submit
\Users\Admin\AppData\Local\Temp\2200429360.exe

Filesize
5.4MB

MD5
41ab08c1955fce44bfd0c76a64d1945a

SHA1
2b9cb05f4de5d98c541d15175d7f0199cbdd0eea

SHA256
dd12cb27b3867341bf6ca48715756500d3ec56c19b21bb1c1290806aa74cb493

SHA512
38834ae703a8541b4fec9a1db94cfe296ead58649bb1d4873b517df14d0c6a9d25e49ff04c2bf6bb0188845116a4e894aae930d849f9be8c98d2ce51da1ef116

Download Submit
\Users\Admin\AppData\Local\Temp\268024160.exe

Filesize
89KB

MD5
a1151afcffa047deb643bb06b11ceacc

SHA1
537abe3abcfd2f2fc49ef1f61c0dba9ed36a1601

SHA256
cf9e35157404a4c1d64395076d7f76471b3738d86b09a26b39d7d97e40c03b90

SHA512
edeef562c3803a47d59ed19c8c72a22f25a18d3c6e98c202a376d152dc7d8a00bffcc1f64c3d3bb9284f409982bcb009463287e053bb7e95314d45f53ee782a0

Download Submit
\Users\Admin\AppData\Local\Temp\43026400.exe

Filesize
6KB

MD5
0d539e8277f20391a31babff8714fdb0

SHA1
a4e63870aa5fd258dde4f02be70732c27f556fa9

SHA256
669035f4f05fe6ffc7722987c41f802f3a11298cb3a154b00c4e76df2ae5fe32

SHA512
700ff1733a064ddda80c0ac4702e50a8c0ddd97f154ff894f89d16603c02076a13e1a93ca51224579898cdf69e560a69dff60d4f5e26a479e74a3e3350f822ff

Download Submit
\Users\Admin\AppData\Local\Temp\75868734.exe

Filesize
8KB

MD5
da835ecda7aa46d4740d10b378f8fc6c

SHA1
7cc67054686a6398f68a497e9146bead5f7470c4

SHA256
43bbf7187417f542305f1fad3f71976adb1b8b14c32ac87fda4c92a4734e0595

SHA512
5851f60985f8b364d73570e27efadf6c0cc8c13734c24191a753da988c8ee44a4e46da32c1796ff4c5b3b8f314c54164da00f0d120ba469bfcf76b6d27db8407

Download Submit
\Users\Admin\AppData\Local\Temp\8C19.exe

Filesize
9KB

MD5
62b97cf4c0abafeda36e3fc101a5a022

SHA1
328fae9acff3f17df6e9dc8d6ef1cec679d4eb2b

SHA256
e172537adcee1fcdc8f16c23e43a5ac82c56a0347fa0197c08be979438a534ab

SHA512
32bd7062aabd25205471cec8d292b820fc2fd2479da6fb723332887fc47036570bb2d25829acb7c883ccaaab272828c8effbc78f02a3deeabb47656f4b64eb24

Download Submit
memory/756-167-0x000000013FC70000-0x00000001401E6000-memory.dmp

Filesize
5.5MB

Download
memory/860-147-0x000000013F1B0000-0x000000013F726000-memory.dmp

Filesize
5.5MB

Download
memory/1512-141-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download
memory/1512-138-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download
memory/1512-142-0x00000000025D0000-0x0000000002650000-memory.dmp

Filesize
512KB

Download
memory/1512-143-0x00000000025D0000-0x0000000002650000-memory.dmp

Filesize
512KB

Download
memory/1512-144-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download
memory/1512-140-0x00000000025D0000-0x0000000002650000-memory.dmp

Filesize
512KB

Download
memory/1512-139-0x00000000023D0000-0x00000000023D8000-memory.dmp

Filesize
32KB

Download
memory/1512-137-0x000000001B190000-0x000000001B472000-memory.dmp

Filesize
2.9MB

Download
memory/1932-158-0x000007FEF49C0000-0x000007FEF535D000-memory.dmp

Filesize
9.6MB

Download
memory/1932-157-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/1932-159-0x00000000027D0000-0x0000000002850000-memory.dmp

Filesize
512KB

Download
memory/1932-160-0x000007FEF49C0000-0x000007FEF535D000-memory.dmp

Filesize
9.6MB

Download
memory/1932-161-0x00000000027D0000-0x0000000002850000-memory.dmp

Filesize
512KB

Download
memory/1932-162-0x00000000027D0000-0x0000000002850000-memory.dmp

Filesize
512KB

Download
memory/1932-163-0x00000000027D0000-0x0000000002850000-memory.dmp

Filesize
512KB

Download
memory/1932-164-0x000007FEF49C0000-0x000007FEF535D000-memory.dmp

Filesize
9.6MB

Download
memory/1932-156-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

Filesize
2.9MB

Download
memory/2796-168-0x00000000000C0000-0x00000000000E0000-memory.dmp

Filesize
128KB

Download
memory/2796-169-0x0000000000660000-0x0000000000680000-memory.dmp

Filesize
128KB

Download
memory/2796-170-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download