xmrig | fbfa20ca6337fbe8f71ebab5e3328af667b9e9f4ad56ec7669e502f19e4f6905

Analysis

max time kernel
1799s
max time network
1798s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
14-05-2024 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

353KB
MD5

da4a981460566d93b7c25f1527c5d321
SHA1

ad0dc4e6192057d2f80b080741cdfea83c399a0b
SHA256

fbfa20ca6337fbe8f71ebab5e3328af667b9e9f4ad56ec7669e502f19e4f6905
SHA512

06d57ca29fb36c3c17f275485a69e58d3bb51a543f7dc96945122ad2108967a7995373ead8ce86eb9efc8131e1ae41dd2ac62cd02acb1933eac494e1ba1c6c93
SSDEEP

6144:ujwCtJxxb+fFgfWNIQudUChHCDomqrnBTcqRVhh69NhSzN+9Im:ujwC/xxpONIFFHCDVqpcqpc9zZO

Score

10^/10

xmrig zgrat evasion execution miner persistence rat spyware stealer upx

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Checker.exe	family_zgrat_v1
C:\blockcontainerWincrtdll\Sessionperf.exe	family_zgrat_v1
behavioral1/memory/4088-30-0x0000000000D10000-0x00000000010B2000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Sessionperf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\PrintHood\\Idle.exe\", \"C:\\blockcontainerWincrtdll\\dllhost.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\cmd.exe\", \"C:\\Program Files\\Reference Assemblies\\wininit.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\PrintHood\\Idle.exe\", \"C:\\blockcontainerWincrtdll\\dllhost.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\cmd.exe\", \"C:\\Program Files\\Reference Assemblies\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\Utility.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\PrintHood\\Idle.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\PrintHood\\Idle.exe\", \"C:\\blockcontainerWincrtdll\\dllhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\PrintHood\\Idle.exe\", \"C:\\blockcontainerWincrtdll\\dllhost.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\cmd.exe\""	Sessionperf.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	1996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	1996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	1996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	500	1996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	1996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	1996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	1996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3636	1996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	1996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3332	1996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	1996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	1996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	1996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	1996	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	1996	schtasks.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 12 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1360-565-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1360-564-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1360-570-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1360-571-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1360-568-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1360-567-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1360-569-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1360-595-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1360-596-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1360-630-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1360-631-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1360-632-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

1196 powershell.exe
2900 powershell.exe
828 powershell.exe
4516 powershell.exe
5012 powershell.exe
2712 powershell.exe
1460 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
1196	powershell.exe
2900	powershell.exe
828	powershell.exe
4516	powershell.exe
5012	powershell.exe
2712	powershell.exe
1460	powershell.exe

Executes dropped EXE 23 IoCs

Processes:

Checker.exeUtility.exeSessionperf.exeUtility.exelhhsgwktkatl.exeIdle.exewininit.exedllhost.exeUtility.execmd.exeIdle.exewininit.exedllhost.exeUtility.exeIdle.execmd.exewininit.exeIdle.exedllhost.exeUtility.execmd.exewininit.exeIdle.exe

pid	process
2740	Checker.exe
1344	Utility.exe
4088	Sessionperf.exe
3324	Utility.exe
3104	lhhsgwktkatl.exe
4484	Idle.exe
4412	wininit.exe
4052	dllhost.exe
1724	Utility.exe
4016	cmd.exe
2192	Idle.exe
2224	wininit.exe
2528	dllhost.exe
4740	Utility.exe
1244	Idle.exe
4972	cmd.exe
164	wininit.exe
1524	Idle.exe
1952	dllhost.exe
1732	Utility.exe
1580	cmd.exe
4616	wininit.exe
4544	Idle.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1360-565-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1360-564-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1360-570-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1360-571-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1360-568-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1360-567-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1360-569-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1360-563-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1360-561-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1360-559-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1360-560-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1360-562-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1360-595-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1360-596-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1360-630-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1360-631-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1360-632-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Sessionperf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\Utility = "\"C:\\Recovery\\WindowsRE\\Utility.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default\\PrintHood\\Idle.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\blockcontainerWincrtdll\\dllhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\MSBuild\\Microsoft\\cmd.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Reference Assemblies\\wininit.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Utility = "\"C:\\Recovery\\WindowsRE\\Utility.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default\\PrintHood\\Idle.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\blockcontainerWincrtdll\\dllhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\MSBuild\\Microsoft\\cmd.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Reference Assemblies\\wininit.exe\""	Sessionperf.exe

Drops file in System32 directory 6 IoCs

Processes:

powershell.exelhhsgwktkatl.execsc.exeUtility.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	lhhsgwktkatl.exe
File created	\??\c:\Windows\System32\CSC48781723969843A394A0FF2566F5176C.TMP	csc.exe
File created	\??\c:\Windows\System32\leoba4.exe	csc.exe
File opened for modification	C:\Windows\system32\MRT.exe	Utility.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

lhhsgwktkatl.exe

description	pid	process	target process
PID 3104 set thread context of 2348	3104	lhhsgwktkatl.exe	conhost.exe
PID 3104 set thread context of 1360	3104	lhhsgwktkatl.exe	conhost.exe

Drops file in Program Files directory 4 IoCs

Processes:

Sessionperf.exe

description	ioc	process
File created	C:\Program Files\MSBuild\Microsoft\cmd.exe	Sessionperf.exe
File created	C:\Program Files\MSBuild\Microsoft\ebf1f9fa8afd6d	Sessionperf.exe
File created	C:\Program Files\Reference Assemblies\wininit.exe	Sessionperf.exe
File created	C:\Program Files\Reference Assemblies\56085415360792	Sessionperf.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

3744 sc.exe
4128 sc.exe
2120 sc.exe
1428 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3744	sc.exe
4128	sc.exe
2120	sc.exe
1428	sc.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
700	schtasks.exe
2204	schtasks.exe
2348	schtasks.exe
4264	schtasks.exe
4492	schtasks.exe
3636	schtasks.exe
404	schtasks.exe
4852	schtasks.exe
500	schtasks.exe
3332	schtasks.exe
3220	schtasks.exe
4528	schtasks.exe
4136	schtasks.exe
1860	schtasks.exe
4936	schtasks.exe

Modifies data under HKEY_USERS 47 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe

Modifies registry class 2 IoCs

Processes:

Checker.exeSessionperf.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	Checker.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	Sessionperf.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4988 reg.exe

pid	process
4988	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Sessionperf.exe

pid	process
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe
4088	Sessionperf.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Utility.exe

pid process

3324 Utility.exe

pid	process
3324	Utility.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Loader.exeSessionperf.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	204	Loader.exe
Token: SeDebugPrivilege	4088	Sessionperf.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	5012	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeIncreaseQuotaPrivilege	5012	powershell.exe
Token: SeSecurityPrivilege	5012	powershell.exe
Token: SeTakeOwnershipPrivilege	5012	powershell.exe
Token: SeLoadDriverPrivilege	5012	powershell.exe
Token: SeSystemProfilePrivilege	5012	powershell.exe
Token: SeSystemtimePrivilege	5012	powershell.exe
Token: SeProfSingleProcessPrivilege	5012	powershell.exe
Token: SeIncBasePriorityPrivilege	5012	powershell.exe
Token: SeCreatePagefilePrivilege	5012	powershell.exe
Token: SeBackupPrivilege	5012	powershell.exe
Token: SeRestorePrivilege	5012	powershell.exe
Token: SeShutdownPrivilege	5012	powershell.exe
Token: SeDebugPrivilege	5012	powershell.exe
Token: SeSystemEnvironmentPrivilege	5012	powershell.exe
Token: SeRemoteShutdownPrivilege	5012	powershell.exe
Token: SeUndockPrivilege	5012	powershell.exe
Token: SeManageVolumePrivilege	5012	powershell.exe
Token: 33	5012	powershell.exe
Token: 34	5012	powershell.exe
Token: 35	5012	powershell.exe
Token: 36	5012	powershell.exe
Token: SeIncreaseQuotaPrivilege	2712	powershell.exe
Token: SeSecurityPrivilege	2712	powershell.exe
Token: SeTakeOwnershipPrivilege	2712	powershell.exe
Token: SeLoadDriverPrivilege	2712	powershell.exe
Token: SeSystemProfilePrivilege	2712	powershell.exe
Token: SeSystemtimePrivilege	2712	powershell.exe
Token: SeProfSingleProcessPrivilege	2712	powershell.exe
Token: SeIncBasePriorityPrivilege	2712	powershell.exe
Token: SeCreatePagefilePrivilege	2712	powershell.exe
Token: SeBackupPrivilege	2712	powershell.exe
Token: SeRestorePrivilege	2712	powershell.exe
Token: SeShutdownPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeSystemEnvironmentPrivilege	2712	powershell.exe
Token: SeRemoteShutdownPrivilege	2712	powershell.exe
Token: SeUndockPrivilege	2712	powershell.exe
Token: SeManageVolumePrivilege	2712	powershell.exe
Token: 33	2712	powershell.exe
Token: 34	2712	powershell.exe
Token: 35	2712	powershell.exe
Token: 36	2712	powershell.exe
Token: SeIncreaseQuotaPrivilege	4516	powershell.exe
Token: SeSecurityPrivilege	4516	powershell.exe
Token: SeTakeOwnershipPrivilege	4516	powershell.exe
Token: SeLoadDriverPrivilege	4516	powershell.exe
Token: SeSystemProfilePrivilege	4516	powershell.exe
Token: SeSystemtimePrivilege	4516	powershell.exe
Token: SeProfSingleProcessPrivilege	4516	powershell.exe
Token: SeIncBasePriorityPrivilege	4516	powershell.exe
Token: SeCreatePagefilePrivilege	4516	powershell.exe
Token: SeBackupPrivilege	4516	powershell.exe
Token: SeRestorePrivilege	4516	powershell.exe
Token: SeShutdownPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeSystemEnvironmentPrivilege	4516	powershell.exe
Token: SeRemoteShutdownPrivilege	4516	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Utility.exe

pid process

3324 Utility.exe

pid	process
3324	Utility.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

Loader.exeChecker.exeWScript.execmd.exeSessionperf.execsc.execmd.execmd.exelhhsgwktkatl.execmd.exe

description	pid	process	target process
PID 204 wrote to memory of 2740	204	Loader.exe	Checker.exe
PID 204 wrote to memory of 2740	204	Loader.exe	Checker.exe
PID 204 wrote to memory of 2740	204	Loader.exe	Checker.exe
PID 2740 wrote to memory of 1616	2740	Checker.exe	WScript.exe
PID 2740 wrote to memory of 1616	2740	Checker.exe	WScript.exe
PID 2740 wrote to memory of 1616	2740	Checker.exe	WScript.exe
PID 204 wrote to memory of 1344	204	Loader.exe	Utility.exe
PID 204 wrote to memory of 1344	204	Loader.exe	Utility.exe
PID 1616 wrote to memory of 2108	1616	WScript.exe	cmd.exe
PID 1616 wrote to memory of 2108	1616	WScript.exe	cmd.exe
PID 1616 wrote to memory of 2108	1616	WScript.exe	cmd.exe
PID 2108 wrote to memory of 4988	2108	cmd.exe	reg.exe
PID 2108 wrote to memory of 4988	2108	cmd.exe	reg.exe
PID 2108 wrote to memory of 4988	2108	cmd.exe	reg.exe
PID 2108 wrote to memory of 4088	2108	cmd.exe	Sessionperf.exe
PID 2108 wrote to memory of 4088	2108	cmd.exe	Sessionperf.exe
PID 4088 wrote to memory of 1988	4088	Sessionperf.exe	csc.exe
PID 4088 wrote to memory of 1988	4088	Sessionperf.exe	csc.exe
PID 1988 wrote to memory of 4148	1988	csc.exe	cvtres.exe
PID 1988 wrote to memory of 4148	1988	csc.exe	cvtres.exe
PID 4088 wrote to memory of 1196	4088	Sessionperf.exe	powershell.exe
PID 4088 wrote to memory of 1196	4088	Sessionperf.exe	powershell.exe
PID 4088 wrote to memory of 1460	4088	Sessionperf.exe	powershell.exe
PID 4088 wrote to memory of 1460	4088	Sessionperf.exe	powershell.exe
PID 4088 wrote to memory of 2712	4088	Sessionperf.exe	powershell.exe
PID 4088 wrote to memory of 2712	4088	Sessionperf.exe	powershell.exe
PID 4088 wrote to memory of 5012	4088	Sessionperf.exe	powershell.exe
PID 4088 wrote to memory of 5012	4088	Sessionperf.exe	powershell.exe
PID 4088 wrote to memory of 4516	4088	Sessionperf.exe	powershell.exe
PID 4088 wrote to memory of 4516	4088	Sessionperf.exe	powershell.exe
PID 4088 wrote to memory of 2596	4088	Sessionperf.exe	cmd.exe
PID 4088 wrote to memory of 2596	4088	Sessionperf.exe	cmd.exe
PID 2596 wrote to memory of 4068	2596	cmd.exe	chcp.com
PID 2596 wrote to memory of 4068	2596	cmd.exe	chcp.com
PID 2596 wrote to memory of 2084	2596	cmd.exe	w32tm.exe
PID 2596 wrote to memory of 2084	2596	cmd.exe	w32tm.exe
PID 2596 wrote to memory of 3324	2596	cmd.exe	Utility.exe
PID 2596 wrote to memory of 3324	2596	cmd.exe	Utility.exe
PID 2948 wrote to memory of 4448	2948	cmd.exe	wusa.exe
PID 2948 wrote to memory of 4448	2948	cmd.exe	wusa.exe
PID 3104 wrote to memory of 2348	3104	lhhsgwktkatl.exe	conhost.exe
PID 3104 wrote to memory of 2348	3104	lhhsgwktkatl.exe	conhost.exe
PID 3104 wrote to memory of 2348	3104	lhhsgwktkatl.exe	conhost.exe
PID 3104 wrote to memory of 2348	3104	lhhsgwktkatl.exe	conhost.exe
PID 3104 wrote to memory of 2348	3104	lhhsgwktkatl.exe	conhost.exe
PID 3104 wrote to memory of 2348	3104	lhhsgwktkatl.exe	conhost.exe
PID 3104 wrote to memory of 2348	3104	lhhsgwktkatl.exe	conhost.exe
PID 3104 wrote to memory of 2348	3104	lhhsgwktkatl.exe	conhost.exe
PID 3104 wrote to memory of 2348	3104	lhhsgwktkatl.exe	conhost.exe
PID 3104 wrote to memory of 1360	3104	lhhsgwktkatl.exe	conhost.exe
PID 3104 wrote to memory of 1360	3104	lhhsgwktkatl.exe	conhost.exe
PID 3104 wrote to memory of 1360	3104	lhhsgwktkatl.exe	conhost.exe
PID 3104 wrote to memory of 1360	3104	lhhsgwktkatl.exe	conhost.exe
PID 3104 wrote to memory of 1360	3104	lhhsgwktkatl.exe	conhost.exe
PID 5084 wrote to memory of 3664	5084	cmd.exe	wusa.exe
PID 5084 wrote to memory of 3664	5084	cmd.exe	wusa.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:204
- C:\Users\Admin\AppData\Local\Temp\Checker.exe
  "C:\Users\Admin\AppData\Local\Temp\Checker.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2108
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:4988
    - - C:\blockcontainerWincrtdll\Sessionperf.exe
        
        "C:\blockcontainerWincrtdll/Sessionperf.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4088
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pdz4ds32\pdz4ds32.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A41.tmp" "c:\Windows\System32\CSC48781723969843A394A0FF2566F5176C.TMP"
        7⤵
        
        PID:4148
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\PrintHood\Idle.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1196
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\blockcontainerWincrtdll\dllhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\cmd.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\wininit.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5012
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Utility.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4516
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AA0bfbf7qt.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2084
        
        C:\Recovery\WindowsRE\Utility.exe
        
        "C:\Recovery\WindowsRE\Utility.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:3324
- C:\Users\Admin\AppData\Local\Temp\Utility.exe
  "C:\Users\Admin\AppData\Local\Temp\Utility.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1344
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4448
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    PID:3924
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    PID:4300
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    PID:792
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    PID:856
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "QHRAJGDI"
    3⤵
    - Launches sc.exe
    PID:2120
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "QHRAJGDI" binpath= "C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:1428
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:3744
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "QHRAJGDI"
    3⤵
    - Launches sc.exe
    PID:4128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Default\PrintHood\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default\PrintHood\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\blockcontainerWincrtdll\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\blockcontainerWincrtdll\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\blockcontainerWincrtdll\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "UtilityU" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Utility.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Utility" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Utility.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "UtilityU" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Utility.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4528

C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3664
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:4212
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:1988
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:2232
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:4564
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2348
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  PID:1360

C:\Users\Default\PrintHood\Idle.exe
C:\Users\Default\PrintHood\Idle.exe
1⤵
- Executes dropped EXE
PID:4484

C:\Program Files\Reference Assemblies\wininit.exe
"C:\Program Files\Reference Assemblies\wininit.exe"
1⤵
- Executes dropped EXE
PID:4412

C:\blockcontainerWincrtdll\dllhost.exe
C:\blockcontainerWincrtdll\dllhost.exe
1⤵
- Executes dropped EXE
PID:4052

C:\Recovery\WindowsRE\Utility.exe
C:\Recovery\WindowsRE\Utility.exe
1⤵
- Executes dropped EXE
PID:1724

C:\Program Files\MSBuild\Microsoft\cmd.exe
"C:\Program Files\MSBuild\Microsoft\cmd.exe"
1⤵
- Executes dropped EXE
PID:4016

C:\Users\Default\PrintHood\Idle.exe
C:\Users\Default\PrintHood\Idle.exe
1⤵
- Executes dropped EXE
PID:2192

C:\Program Files\Reference Assemblies\wininit.exe
"C:\Program Files\Reference Assemblies\wininit.exe"
1⤵
- Executes dropped EXE
PID:2224

C:\blockcontainerWincrtdll\dllhost.exe
C:\blockcontainerWincrtdll\dllhost.exe
1⤵
- Executes dropped EXE
PID:2528

C:\Recovery\WindowsRE\Utility.exe
C:\Recovery\WindowsRE\Utility.exe
1⤵
- Executes dropped EXE
PID:4740

C:\Users\Default\PrintHood\Idle.exe
C:\Users\Default\PrintHood\Idle.exe
1⤵
- Executes dropped EXE
PID:1244

C:\Program Files\MSBuild\Microsoft\cmd.exe
"C:\Program Files\MSBuild\Microsoft\cmd.exe"
1⤵
- Executes dropped EXE
PID:4972

C:\Program Files\Reference Assemblies\wininit.exe
"C:\Program Files\Reference Assemblies\wininit.exe"
1⤵
- Executes dropped EXE
PID:164

C:\Users\Default\PrintHood\Idle.exe
C:\Users\Default\PrintHood\Idle.exe
1⤵
- Executes dropped EXE
PID:1524

C:\blockcontainerWincrtdll\dllhost.exe
C:\blockcontainerWincrtdll\dllhost.exe
1⤵
- Executes dropped EXE
PID:1952

C:\Recovery\WindowsRE\Utility.exe
C:\Recovery\WindowsRE\Utility.exe
1⤵
- Executes dropped EXE
PID:1732

C:\Program Files\MSBuild\Microsoft\cmd.exe
"C:\Program Files\MSBuild\Microsoft\cmd.exe"
1⤵
- Executes dropped EXE
PID:1580

C:\Program Files\Reference Assemblies\wininit.exe
"C:\Program Files\Reference Assemblies\wininit.exe"
1⤵
- Executes dropped EXE
PID:4616

C:\Users\Default\PrintHood\Idle.exe
C:\Users\Default\PrintHood\Idle.exe
1⤵
- Executes dropped EXE
PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Utility.exe.log

Filesize
847B

MD5
ffd07202965cc8d2106fe0866224d425

SHA1
102aae2319ed83e56a862b2525d58e57d8fe9f9a

SHA256
3e8458b928401cad08ef5cfc2c86706a15ef67d03f0c010b6ca4651370b97df2

SHA512
fdcab2ce6f65f28ec9da146b04ab4f38e0ee857a4fa70ced68abddfc16156ae466dca072f0820f83d935f89002484e9ade1e9f35a5df516793090ec95fafcbbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1b54a7ee5778574a6c311d3ceb1916c3

SHA1
80442668650b57702c322e5550870ff899b30a01

SHA256
1f270e97421c1ddb20f09af586fb026a040d409b4a3108dd6cde7d8d7389eb52

SHA512
33762a47c21713909d759ea57406a8e8ebe2e080ce19e4ef0761de01ca958859740a78d9e3f7b5c8200f5a990fc42088d751eac9f12a94ba4f05abde0d4789f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
38f6c7cdda155e14cf539450ce80010e

SHA1
f8dc0603887968ae946ef4bc34e90f584e7661c9

SHA256
d76ce66bd78f1293fbbbe3851475af4a21d5c210e3f692a79a312c98e3b72bdd

SHA512
064cbd065e76133869687feb34c09a1df125161d571ce4ccebef3ae677923cdebfc6917170fcebf95a44905bd0e0b17b6548351b724d3119242718d1a4e9061e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
af4288e031989efa429cc4c3d531df82

SHA1
52e3cfef9c8c9f7a2aebc8b7373b71db3b05e3c2

SHA256
dba5d5d24b39da8df9d0737a0ae3f6601441da6e7963f3d80a79a9912b96139e

SHA512
fe29704acde5322ddc236c3d6934b52a7afbb805c98128c9081107d4893cb5b11d0f4e48813f6b8d1c0f8a68615c980a21a89f2f605510f7ab9662039325b877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fc98fb64459f3ffc71c9b98bf6a470cc

SHA1
5da8d66679e7449129d52142c840ac4a6dfda7d7

SHA256
5cf6bd23e2166d21d2178570c4f04cac1c030d67173abfebb05a407e15c47979

SHA512
4a781d9ea4a321b75e4d8722f5b1252094450ec1a06418eb86b69d460fe82722c4157deeb731731a870c42377230c34f7aabdefc06494ecd1c918c0f06a818d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AA0bfbf7qt.bat

Filesize
209B

MD5
983c657089fad5cfe71d42f5968a6754

SHA1
6823125f2f675e3b1faea5f8c98cf01ebde23cf1

SHA256
9527c3b6e8f375543cbc0dc73f149464661895e1fe50a1e1c6f4e3ea0a1be4b2

SHA512
26234362593e275d653a81ddb6ba0ed3741039423d3b08185f529b4aedcee5010fe1eeea3e21aa5c073bf438afb5b8423203a95ff0712d410c4f190d8ba2ac74

Download Submit
C:\Users\Admin\AppData\Local\Temp\Checker.exe

Filesize
3.9MB

MD5
1003b37d9d942d41a38a83670eaa285c

SHA1
a4ee7ef69fc681caf1116d59578667abb9080ad6

SHA256
d822b616ee7e10b00fead9be9eb0cf9780fdb0b3fec3001ff31c9ce0cb7255ae

SHA512
0c6f4e063cc22ee3c076c95bf5ea1cb593e5b6f40e4f2b8d3723a5c18c14eeecf568dad2a16599967c56588f4918cecd996e475fd20615b07c99de4800309f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7A41.tmp

Filesize
1KB

MD5
e66a231b8de91e5224bd6eb9bca7b214

SHA1
cb67f4b6e5accc459c679c092f0dcf535d18b498

SHA256
3058f3d67ab347f0a7223830b23ecff2d77f2dfb387530f364acde2a7cb74302

SHA512
1038bd443f9b9ba1fe006164218024c22974a199b195752d084e06e20c8e7959058d88bcc88b251422d6873ac7459d0e11677819c8bb9e2ba7c8e1f0507eb042

Download Submit
C:\Users\Admin\AppData\Local\Temp\Utility.exe

Filesize
5.0MB

MD5
b1ac2ea973651a70ea72597e13a10f0a

SHA1
07e7cdedc54067a46b1d42cdf8a2c9050c3d3419

SHA256
e2cb500c902da55ac07cbfbe30b8d1cef8781e55f0439ed601672636c3ab8c47

SHA512
02b0dbc8a31ca440027a6c07d618a92bb520567ccd338c28dfcb86faa5b56c866564cf1a05b1754dcfeb252d12d76da57fd2de87804454f0ef1097431764c1f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kmear3zu.duw.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe

Filesize
228B

MD5
4f702b152f4098393712e3fe99b04fbd

SHA1
fec2f913e1fac5053127e175f1ba048c9d8dd25c

SHA256
f0e2bfb22d22aed8ac10eff5a010fad081a5798706b3a6fd7764798cab716eb2

SHA512
7c0844d6591b694d77ecf3d070eb3f70fd99427e41d62167aa58c98c1966a8065d90beb82ab0aa0a42bb80edb3c205dd07bb1d4fc03d989a0cb4df8993635fbf

Download Submit
C:\blockcontainerWincrtdll\Sessionperf.exe

Filesize
3.6MB

MD5
bf0f63bb48eb95aaec6fc6a001c974ce

SHA1
19baab2b0c129ecbd6a1aa21bada3e2e5cdd1136

SHA256
bbb080aed81b8f4d0f5d590c7cb0e56e68da5a27d32d964c32e50e1cb2015edc

SHA512
130f08a7c4901ef47e7d21effe83c19fa442f2ade97967c11e646f949a9e8c2c46e8272a31a5b75f6c279009530cd101a562f1ab31a28fe410273cd69bf6c28c

Download Submit
C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat

Filesize
201B

MD5
159297f9e35114bf97d74622097780d8

SHA1
2aaaf993b9ecb9bae43ccd41585734512ff08355

SHA256
650c37c1afde471e40f77d7aec8603382214e9ec318b7f08ab7653f9c4e87f81

SHA512
a82faa2f64caf669d44eac03705e34bea213c9a74ed73950bd8d2158d1c256ca290b7ffece866c3a03c36a091be70d92157353782061e184e5d44ac937949f69

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pdz4ds32\pdz4ds32.0.cs

Filesize
367B

MD5
823d165b6f343e7b54df7aabb51f83b1

SHA1
84230e1e9079b069fe4992453fa37798f42d7afe

SHA256
d111a04b4d9dc002fef74a525db7ce6a991e6334450924e02dd0a7cf6ba065e9

SHA512
9482478076e27a2b89c8450c4073b2688cbc6c21c6658bdbcd571e46886bd07e4987690868d4ed33b8b1ff897e581cf562c19afa855267b713f925a2db16ad79

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pdz4ds32\pdz4ds32.cmdline

Filesize
235B

MD5
90b0d35d74f34d7384ada7f5a08ae5db

SHA1
206591f54ccc40b174eddef037f3b89805aa25c4

SHA256
9e85683776682cc2aad49b5ba7eb85e7130c0d6c3f4025f023fb0bced112baf7

SHA512
733c2d45e9549565f3990d473a33b5e8b4b971aa4fdc75990edbb56a4dcc112b73acf99d4d672ca5a1e6046570bda7bd16d359896c80dadf8f40da32b0bdea01

Download Submit
\??\c:\Windows\System32\CSC48781723969843A394A0FF2566F5176C.TMP

Filesize
1KB

MD5
35d2029ed56d02bdd5f6f26e72234b06

SHA1
e3fcc132b8af4e099a5e614d8736689d87e1b83a

SHA256
e0ffde280f68e8f5f0059b987cf1e49557fc03f02e901fc3d1596e0f7f5d8881

SHA512
e3044d3870dec2c132d936394b255eabe771c568abf1dd344530f48233d3f8b0266d2fcdbfc2dd88941c94c1d761a39227dff41673fe2b1d1aa371ace8a7a0df

Download Submit
memory/204-1-0x00007FFBBEEE3000-0x00007FFBBEEE4000-memory.dmp

Filesize
4KB

Download
memory/204-0-0x0000000000680000-0x00000000006DE000-memory.dmp

Filesize
376KB

Download
memory/204-25-0x00007FFBBEEE0000-0x00007FFBBF8CC000-memory.dmp

Filesize
9.9MB

Download
memory/204-3-0x00007FFBBEEE0000-0x00007FFBBF8CC000-memory.dmp

Filesize
9.9MB

Download
memory/204-2-0x00007FFBBEEE0000-0x00007FFBBF8CC000-memory.dmp

Filesize
9.9MB

Download
memory/828-423-0x000001A166DF0000-0x000001A166E0C000-memory.dmp

Filesize
112KB

Download
memory/828-429-0x000001A17F4E0000-0x000001A17F599000-memory.dmp

Filesize
740KB

Download
memory/828-462-0x000001A166E20000-0x000001A166E2A000-memory.dmp

Filesize
40KB

Download
memory/1196-127-0x00000147CC330000-0x00000147CC352000-memory.dmp

Filesize
136KB

Download
memory/1360-568-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1360-567-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1360-632-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1360-631-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1360-630-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1360-596-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1360-595-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1360-565-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1360-566-0x00000153ACAC0000-0x00000153ACAE0000-memory.dmp

Filesize
128KB

Download
memory/1360-564-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1360-570-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1360-571-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1360-569-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1360-562-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1360-560-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1360-559-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1360-561-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1360-563-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2348-558-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2348-555-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2348-554-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2348-553-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2348-552-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2348-551-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3324-574-0x000000001C870000-0x000000001C92F000-memory.dmp

Filesize
764KB

Download
memory/4088-55-0x000000001BFD0000-0x000000001BFE0000-memory.dmp

Filesize
64KB

Download
memory/4088-62-0x000000001BFE0000-0x000000001BFEE000-memory.dmp

Filesize
56KB

Download
memory/4088-34-0x0000000003160000-0x000000000316E000-memory.dmp

Filesize
56KB

Download
memory/4088-36-0x000000001BF10000-0x000000001BF2C000-memory.dmp

Filesize
112KB

Download
memory/4088-39-0x0000000003170000-0x0000000003180000-memory.dmp

Filesize
64KB

Download
memory/4088-41-0x000000001BF50000-0x000000001BF68000-memory.dmp

Filesize
96KB

Download
memory/4088-43-0x0000000003180000-0x0000000003190000-memory.dmp

Filesize
64KB

Download
memory/4088-45-0x000000001BBB0000-0x000000001BBC0000-memory.dmp

Filesize
64KB

Download
memory/4088-47-0x000000001BF30000-0x000000001BF3E000-memory.dmp

Filesize
56KB

Download
memory/4088-32-0x00000000032A0000-0x00000000032C6000-memory.dmp

Filesize
152KB

Download
memory/4088-49-0x000000001BF40000-0x000000001BF4E000-memory.dmp

Filesize
56KB

Download
memory/4088-30-0x0000000000D10000-0x00000000010B2000-memory.dmp

Filesize
3.6MB

Download
memory/4088-51-0x000000001BFF0000-0x000000001C002000-memory.dmp

Filesize
72KB

Download
memory/4088-129-0x000000001CDD0000-0x000000001CE8F000-memory.dmp

Filesize
764KB

Download
memory/4088-53-0x000000001BF70000-0x000000001BF7C000-memory.dmp

Filesize
48KB

Download
memory/4088-37-0x000000001BF80000-0x000000001BFD0000-memory.dmp

Filesize
320KB

Download
memory/4088-57-0x000000001C030000-0x000000001C046000-memory.dmp

Filesize
88KB

Download
memory/4088-59-0x000000001C050000-0x000000001C062000-memory.dmp

Filesize
72KB

Download
memory/4088-60-0x000000001C5A0000-0x000000001CAC6000-memory.dmp

Filesize
5.1MB

Download
memory/4088-80-0x000000001C1A0000-0x000000001C1EE000-memory.dmp

Filesize
312KB

Download
memory/4088-78-0x000000001C0A0000-0x000000001C0AC000-memory.dmp

Filesize
48KB

Download
memory/4088-76-0x000000001C130000-0x000000001C148000-memory.dmp

Filesize
96KB

Download
memory/4088-74-0x000000001C090000-0x000000001C09E000-memory.dmp

Filesize
56KB

Download
memory/4088-72-0x000000001C080000-0x000000001C090000-memory.dmp

Filesize
64KB

Download
memory/4088-70-0x000000001C070000-0x000000001C07E000-memory.dmp

Filesize
56KB

Download
memory/4088-68-0x000000001C0D0000-0x000000001C12A000-memory.dmp

Filesize
360KB

Download
memory/4088-66-0x000000001C020000-0x000000001C030000-memory.dmp

Filesize
64KB

Download
memory/4088-64-0x000000001C010000-0x000000001C020000-memory.dmp

Filesize
64KB

Download
memory/5012-139-0x00000224A00A0000-0x00000224A0116000-memory.dmp

Filesize
472KB

Download