xmrig | fbfa20ca6337fbe8f71ebab5e3328af667b9e9f4ad56ec7669e502f19e4f6905

Analysis

max time kernel
1800s
max time network
1799s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

353KB
MD5

da4a981460566d93b7c25f1527c5d321
SHA1

ad0dc4e6192057d2f80b080741cdfea83c399a0b
SHA256

fbfa20ca6337fbe8f71ebab5e3328af667b9e9f4ad56ec7669e502f19e4f6905
SHA512

06d57ca29fb36c3c17f275485a69e58d3bb51a543f7dc96945122ad2108967a7995373ead8ce86eb9efc8131e1ae41dd2ac62cd02acb1933eac494e1ba1c6c93
SSDEEP

6144:ujwCtJxxb+fFgfWNIQudUChHCDomqrnBTcqRVhh69NhSzN+9Im:ujwC/xxpONIFFHCDVqpcqpc9zZO

Score

10^/10

xmrig zgrat evasion execution miner persistence rat spyware stealer upx

Malware Config

Signatures

Detect ZGRat V1 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Checker.exe	family_zgrat_v1
C:\blockcontainerWincrtdll\Sessionperf.exe	family_zgrat_v1
behavioral3/memory/2952-37-0x00000000007E0000-0x0000000000B82000-memory.dmp	family_zgrat_v1
C:\Users\Admin\3D Objects\sihost.exe	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Sessionperf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\Lang\\RuntimeBroker.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\Lang\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\Oracle\\WmiPrvSE.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\Lang\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\Oracle\\WmiPrvSE.exe\", \"C:\\Windows\\PrintDialog\\pris\\conhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\Lang\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\Oracle\\WmiPrvSE.exe\", \"C:\\Windows\\PrintDialog\\pris\\conhost.exe\", \"C:\\Users\\Admin\\3D Objects\\sihost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\7-Zip\\Lang\\RuntimeBroker.exe\", \"C:\\Program Files (x86)\\Common Files\\Oracle\\WmiPrvSE.exe\", \"C:\\Windows\\PrintDialog\\pris\\conhost.exe\", \"C:\\Users\\Admin\\3D Objects\\sihost.exe\", \"C:\\blockcontainerWincrtdll\\smss.exe\""	Sessionperf.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	4888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	4888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	4888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	4888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	4888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	4888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	4888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	4888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	4888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	4888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	4888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	4888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	4888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	4888	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	4888	schtasks.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 12 IoCs

miner

Processes:

resource	yara_rule
behavioral3/memory/1880-261-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/1880-263-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/1880-262-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/1880-260-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/1880-258-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/1880-257-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/1880-264-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/1880-294-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/1880-295-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/1880-327-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/1880-326-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/1880-328-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

512 powershell.exe
628 powershell.exe
4496 powershell.exe
3112 powershell.exe
1796 powershell.exe
3064 powershell.exe
3628 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
512	powershell.exe
628	powershell.exe
4496	powershell.exe
3112	powershell.exe
1796	powershell.exe
3064	powershell.exe
3628	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Checker.exeWScript.exeSessionperf.exeLoader.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Checker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Sessionperf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	Loader.exe

Executes dropped EXE 16 IoCs

Processes:

Checker.exeUtility.exeSessionperf.exesmss.exelhhsgwktkatl.exesmss.execonhost.exesihost.exeWmiPrvSE.exeRuntimeBroker.exesmss.execonhost.exesihost.exeWmiPrvSE.exeRuntimeBroker.exesmss.exe

pid	process
3144	Checker.exe
3248	Utility.exe
2952	Sessionperf.exe
4512	smss.exe
5092	lhhsgwktkatl.exe
4180	smss.exe
2988	conhost.exe
4960	sihost.exe
3388	WmiPrvSE.exe
1016	RuntimeBroker.exe
864	smss.exe
2468	conhost.exe
2596	sihost.exe
3628	WmiPrvSE.exe
4544	RuntimeBroker.exe
3880	smss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral3/memory/1880-253-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/1880-254-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/1880-252-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/1880-255-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/1880-256-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/1880-261-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/1880-263-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/1880-262-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/1880-260-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/1880-258-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/1880-257-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/1880-264-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/1880-294-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/1880-295-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/1880-327-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/1880-326-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/1880-328-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Sessionperf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Common Files\\Oracle\\WmiPrvSE.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\PrintDialog\\pris\\conhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\blockcontainerWincrtdll\\smss.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\7-Zip\\Lang\\RuntimeBroker.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\7-Zip\\Lang\\RuntimeBroker.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files (x86)\\Common Files\\Oracle\\WmiPrvSE.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\PrintDialog\\pris\\conhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Users\\Admin\\3D Objects\\sihost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Users\\Admin\\3D Objects\\sihost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\blockcontainerWincrtdll\\smss.exe\""	Sessionperf.exe

Drops file in System32 directory 6 IoCs

Processes:

lhhsgwktkatl.execsc.exeUtility.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MRT.exe	lhhsgwktkatl.exe
File created	\??\c:\Windows\System32\CSC38BE72965194422A9CCABE9C03887F.TMP	csc.exe
File created	\??\c:\Windows\System32\t4pfwd.exe	csc.exe
File opened for modification	C:\Windows\system32\MRT.exe	Utility.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

lhhsgwktkatl.exe

description	pid	process	target process
PID 5092 set thread context of 2776	5092	lhhsgwktkatl.exe	conhost.exe
PID 5092 set thread context of 1880	5092	lhhsgwktkatl.exe	conhost.exe

Drops file in Program Files directory 5 IoCs

Processes:

Sessionperf.exe

description	ioc	process
File created	C:\Program Files\7-Zip\Lang\RuntimeBroker.exe	Sessionperf.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RuntimeBroker.exe	Sessionperf.exe
File created	C:\Program Files\7-Zip\Lang\9e8d7a4ca61bd9	Sessionperf.exe
File created	C:\Program Files (x86)\Common Files\Oracle\WmiPrvSE.exe	Sessionperf.exe
File created	C:\Program Files (x86)\Common Files\Oracle\24dbde2999530e	Sessionperf.exe

Drops file in Windows directory 2 IoCs

Processes:

Sessionperf.exe

description	ioc	process
File created	C:\Windows\PrintDialog\pris\conhost.exe	Sessionperf.exe
File created	C:\Windows\PrintDialog\pris\088424020bedd6	Sessionperf.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2576 sc.exe
3664 sc.exe
3516 sc.exe
1320 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2576	sc.exe
3664	sc.exe
3516	sc.exe
1320	sc.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4604	schtasks.exe
2860	schtasks.exe
4544	schtasks.exe
4900	schtasks.exe
4956	schtasks.exe
2120	schtasks.exe
4364	schtasks.exe
916	schtasks.exe
3384	schtasks.exe
4080	schtasks.exe
2320	schtasks.exe
1508	schtasks.exe
624	schtasks.exe
4628	schtasks.exe
5088	schtasks.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe

Modifies registry class 2 IoCs

Processes:

Checker.exeSessionperf.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	Checker.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	Sessionperf.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4868 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2616 PING.EXE

pid	process
4868	reg.exe

pid	process
2616	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Sessionperf.exe

pid	process
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe
2952	Sessionperf.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

smss.exe

pid process

4512 smss.exe

pid	process
4512	smss.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

Loader.exeSessionperf.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesmss.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execonhost.exesmss.execonhost.exesihost.exeWmiPrvSE.exeRuntimeBroker.exesmss.execonhost.exesihost.exeWmiPrvSE.exeRuntimeBroker.exesmss.exe

description	pid	process
Token: SeDebugPrivilege	1760	Loader.exe
Token: SeDebugPrivilege	2952	Sessionperf.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeDebugPrivilege	3112	powershell.exe
Token: SeDebugPrivilege	4496	powershell.exe
Token: SeDebugPrivilege	512	powershell.exe
Token: SeDebugPrivilege	4512	smss.exe
Token: SeShutdownPrivilege	2264	powercfg.exe
Token: SeCreatePagefilePrivilege	2264	powercfg.exe
Token: SeShutdownPrivilege	880	powercfg.exe
Token: SeCreatePagefilePrivilege	880	powercfg.exe
Token: SeShutdownPrivilege	3512	powercfg.exe
Token: SeCreatePagefilePrivilege	3512	powercfg.exe
Token: SeShutdownPrivilege	4528	powercfg.exe
Token: SeCreatePagefilePrivilege	4528	powercfg.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeShutdownPrivilege	3144	powercfg.exe
Token: SeCreatePagefilePrivilege	3144	powercfg.exe
Token: SeShutdownPrivilege	3448	powercfg.exe
Token: SeCreatePagefilePrivilege	3448	powercfg.exe
Token: SeShutdownPrivilege	1384	powercfg.exe
Token: SeCreatePagefilePrivilege	1384	powercfg.exe
Token: SeShutdownPrivilege	3420	powercfg.exe
Token: SeCreatePagefilePrivilege	3420	powercfg.exe
Token: SeLockMemoryPrivilege	1880	conhost.exe
Token: SeDebugPrivilege	4180	smss.exe
Token: SeDebugPrivilege	2988	conhost.exe
Token: SeDebugPrivilege	4960	sihost.exe
Token: SeDebugPrivilege	3388	WmiPrvSE.exe
Token: SeDebugPrivilege	1016	RuntimeBroker.exe
Token: SeDebugPrivilege	864	smss.exe
Token: SeDebugPrivilege	2468	conhost.exe
Token: SeDebugPrivilege	2596	sihost.exe
Token: SeDebugPrivilege	3628	WmiPrvSE.exe
Token: SeDebugPrivilege	4544	RuntimeBroker.exe
Token: SeDebugPrivilege	3880	smss.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

smss.exe

pid process

4512 smss.exe

pid	process
4512	smss.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

Loader.exeChecker.exeWScript.execmd.exeSessionperf.execsc.execmd.execmd.exelhhsgwktkatl.execmd.exe

description	pid	process	target process
PID 1760 wrote to memory of 3144	1760	Loader.exe	Checker.exe
PID 1760 wrote to memory of 3144	1760	Loader.exe	Checker.exe
PID 1760 wrote to memory of 3144	1760	Loader.exe	Checker.exe
PID 3144 wrote to memory of 1032	3144	Checker.exe	WScript.exe
PID 3144 wrote to memory of 1032	3144	Checker.exe	WScript.exe
PID 3144 wrote to memory of 1032	3144	Checker.exe	WScript.exe
PID 1760 wrote to memory of 3248	1760	Loader.exe	Utility.exe
PID 1760 wrote to memory of 3248	1760	Loader.exe	Utility.exe
PID 1032 wrote to memory of 3324	1032	WScript.exe	cmd.exe
PID 1032 wrote to memory of 3324	1032	WScript.exe	cmd.exe
PID 1032 wrote to memory of 3324	1032	WScript.exe	cmd.exe
PID 3324 wrote to memory of 4868	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 4868	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 4868	3324	cmd.exe	reg.exe
PID 3324 wrote to memory of 2952	3324	cmd.exe	Sessionperf.exe
PID 3324 wrote to memory of 2952	3324	cmd.exe	Sessionperf.exe
PID 2952 wrote to memory of 4032	2952	Sessionperf.exe	csc.exe
PID 2952 wrote to memory of 4032	2952	Sessionperf.exe	csc.exe
PID 4032 wrote to memory of 3620	4032	csc.exe	cvtres.exe
PID 4032 wrote to memory of 3620	4032	csc.exe	cvtres.exe
PID 2952 wrote to memory of 4496	2952	Sessionperf.exe	powershell.exe
PID 2952 wrote to memory of 4496	2952	Sessionperf.exe	powershell.exe
PID 2952 wrote to memory of 3112	2952	Sessionperf.exe	powershell.exe
PID 2952 wrote to memory of 3112	2952	Sessionperf.exe	powershell.exe
PID 2952 wrote to memory of 1796	2952	Sessionperf.exe	powershell.exe
PID 2952 wrote to memory of 1796	2952	Sessionperf.exe	powershell.exe
PID 2952 wrote to memory of 3064	2952	Sessionperf.exe	powershell.exe
PID 2952 wrote to memory of 3064	2952	Sessionperf.exe	powershell.exe
PID 2952 wrote to memory of 3628	2952	Sessionperf.exe	powershell.exe
PID 2952 wrote to memory of 3628	2952	Sessionperf.exe	powershell.exe
PID 2952 wrote to memory of 892	2952	Sessionperf.exe	cmd.exe
PID 2952 wrote to memory of 892	2952	Sessionperf.exe	cmd.exe
PID 892 wrote to memory of 3776	892	cmd.exe	chcp.com
PID 892 wrote to memory of 3776	892	cmd.exe	chcp.com
PID 892 wrote to memory of 2616	892	cmd.exe	PING.EXE
PID 892 wrote to memory of 2616	892	cmd.exe	PING.EXE
PID 892 wrote to memory of 4512	892	cmd.exe	smss.exe
PID 892 wrote to memory of 4512	892	cmd.exe	smss.exe
PID 4744 wrote to memory of 468	4744	cmd.exe	wusa.exe
PID 4744 wrote to memory of 468	4744	cmd.exe	wusa.exe
PID 5092 wrote to memory of 2776	5092	lhhsgwktkatl.exe	conhost.exe
PID 5092 wrote to memory of 2776	5092	lhhsgwktkatl.exe	conhost.exe
PID 5092 wrote to memory of 2776	5092	lhhsgwktkatl.exe	conhost.exe
PID 5092 wrote to memory of 2776	5092	lhhsgwktkatl.exe	conhost.exe
PID 5092 wrote to memory of 2776	5092	lhhsgwktkatl.exe	conhost.exe
PID 5092 wrote to memory of 2776	5092	lhhsgwktkatl.exe	conhost.exe
PID 5092 wrote to memory of 2776	5092	lhhsgwktkatl.exe	conhost.exe
PID 5092 wrote to memory of 2776	5092	lhhsgwktkatl.exe	conhost.exe
PID 5092 wrote to memory of 2776	5092	lhhsgwktkatl.exe	conhost.exe
PID 5092 wrote to memory of 1880	5092	lhhsgwktkatl.exe	conhost.exe
PID 5092 wrote to memory of 1880	5092	lhhsgwktkatl.exe	conhost.exe
PID 5092 wrote to memory of 1880	5092	lhhsgwktkatl.exe	conhost.exe
PID 5092 wrote to memory of 1880	5092	lhhsgwktkatl.exe	conhost.exe
PID 5092 wrote to memory of 1880	5092	lhhsgwktkatl.exe	conhost.exe
PID 3576 wrote to memory of 3632	3576	cmd.exe	wusa.exe
PID 3576 wrote to memory of 3632	3576	cmd.exe	wusa.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Local\Temp\Checker.exe
"C:\Users\Admin\AppData\Local\Temp\Checker.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3144

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
5⤵
- Modifies registry key
PID:4868

C:\blockcontainerWincrtdll\Sessionperf.exe
"C:\blockcontainerWincrtdll/Sessionperf.exe"
5⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gdmy2b50\gdmy2b50.cmdline"
6⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4032

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5803.tmp" "c:\Windows\System32\CSC38BE72965194422A9CCABE9C03887F.TMP"
7⤵
PID:3620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Oracle\WmiPrvSE.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PrintDialog\pris\conhost.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\3D Objects\sihost.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\blockcontainerWincrtdll\smss.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X0a5dD1oTs.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\system32\chcp.com
chcp 65001
7⤵
PID:3776

C:\Windows\system32\PING.EXE
ping -n 10 localhost
7⤵
- Runs ping.exe
PID:2616

C:\blockcontainerWincrtdll\smss.exe
"C:\blockcontainerWincrtdll\smss.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4512

C:\Users\Admin\AppData\Local\Temp\Utility.exe
"C:\Users\Admin\AppData\Local\Temp\Utility.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3248

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
3⤵
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
4⤵
PID:468

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:880

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "QHRAJGDI"
3⤵
- Launches sc.exe
PID:2576

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "QHRAJGDI" binpath= "C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe" start= "auto"
3⤵
- Launches sc.exe
PID:3664

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:3516

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "QHRAJGDI"
3⤵
- Launches sc.exe
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Oracle\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Oracle\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\Oracle\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\PrintDialog\pris\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\PrintDialog\pris\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\PrintDialog\pris\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\3D Objects\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Admin\3D Objects\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\3D Objects\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\blockcontainerWincrtdll\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\blockcontainerWincrtdll\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\blockcontainerWincrtdll\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2860

C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5092

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:3632

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:2776

C:\Windows\system32\conhost.exe
conhost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\blockcontainerWincrtdll\smss.exe
C:\blockcontainerWincrtdll\smss.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4180

C:\Windows\PrintDialog\pris\conhost.exe
C:\Windows\PrintDialog\pris\conhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Users\Admin\3D Objects\sihost.exe
"C:\Users\Admin\3D Objects\sihost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Program Files (x86)\Common Files\Oracle\WmiPrvSE.exe
"C:\Program Files (x86)\Common Files\Oracle\WmiPrvSE.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3388

C:\Program Files\7-Zip\Lang\RuntimeBroker.exe
"C:\Program Files\7-Zip\Lang\RuntimeBroker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\blockcontainerWincrtdll\smss.exe
C:\blockcontainerWincrtdll\smss.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:864

C:\Windows\PrintDialog\pris\conhost.exe
C:\Windows\PrintDialog\pris\conhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Users\Admin\3D Objects\sihost.exe
"C:\Users\Admin\3D Objects\sihost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Program Files (x86)\Common Files\Oracle\WmiPrvSE.exe
"C:\Program Files (x86)\Common Files\Oracle\WmiPrvSE.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Program Files\7-Zip\Lang\RuntimeBroker.exe
"C:\Program Files\7-Zip\Lang\RuntimeBroker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\blockcontainerWincrtdll\smss.exe
C:\blockcontainerWincrtdll\smss.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3880

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\3D Objects\sihost.exe
Filesize
1.2MB

MD5
f2fc669b2b5b60feb40ff646859c502a

SHA1
f352fc0b62a6febf7ab84ffb8dc2aba89f0e1e49

SHA256
11816361e7bc5eb165646c59b24c4e2f7914b831995e5a3b81e805b141004d1a

SHA512
1ecb29f19eb51073b28ee42b60311240601c03dc2efc3a31e281534da2dca1e0c3f2c0b684764debe6b72c5b4e9406ac958bb11f1cb6615fb49bab56d46b21b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WmiPrvSE.exe.log
Filesize
847B

MD5
66a0a4aa01208ed3d53a5e131a8d030a

SHA1
ef5312ba2b46b51a4d04b574ca1789ac4ff4a6b1

SHA256
f0ab05c32d6af3c2b559dbce4dec025ce3e730655a2430ade520e89a557cace8

SHA512
626f0dcf0c6bcdc0fef25dc7da058003cf929fd9a39a9f447b79fb139a417532a46f8bca1ff2dbde09abfcd70f5fb4f8d059b1fe91977c377df2f5f751c84c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\Checker.exe
Filesize
3.9MB

MD5
1003b37d9d942d41a38a83670eaa285c

SHA1
a4ee7ef69fc681caf1116d59578667abb9080ad6

SHA256
d822b616ee7e10b00fead9be9eb0cf9780fdb0b3fec3001ff31c9ce0cb7255ae

SHA512
0c6f4e063cc22ee3c076c95bf5ea1cb593e5b6f40e4f2b8d3723a5c18c14eeecf568dad2a16599967c56588f4918cecd996e475fd20615b07c99de4800309f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5803.tmp
Filesize
1KB

MD5
993b17f3b7adcaedc1bbe8848c085abf

SHA1
53c657ced3d3b452627ca6babc885aa81bde38f2

SHA256
ba586e4415f379119f581e6b4e88b31750f4c234441cff9c1e95cd68492aceea

SHA512
789b78b873da5485d35860bc9678f9311135db1f6265e1c1a83430ec8b324ac430027e05bc2439f9098a08759f22988666c9b688476daeee7f4c190134d165a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Utility.exe
Filesize
5.0MB

MD5
b1ac2ea973651a70ea72597e13a10f0a

SHA1
07e7cdedc54067a46b1d42cdf8a2c9050c3d3419

SHA256
e2cb500c902da55ac07cbfbe30b8d1cef8781e55f0439ed601672636c3ab8c47

SHA512
02b0dbc8a31ca440027a6c07d618a92bb520567ccd338c28dfcb86faa5b56c866564cf1a05b1754dcfeb252d12d76da57fd2de87804454f0ef1097431764c1f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\X0a5dD1oTs.bat
Filesize
163B

MD5
0183ef6bf713f65d4e9756b98b260f2b

SHA1
35d0686cea868115e157dd80e15442403bdb7f3f

SHA256
b9b574c33589be5ce1561bdb2150e5bfed1ca9052293366be2eec24baaa0bf48

SHA512
75950601fc731c2be39fb8c9ce9c4fe73ec5cd97f094974876c41372744964fba2fa4932f4dbf2ebd8a72ff8529228c3e26407cd2c52ca8b88ab0c8c9bb5206c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sv51vusv.xse.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe
Filesize
228B

MD5
4f702b152f4098393712e3fe99b04fbd

SHA1
fec2f913e1fac5053127e175f1ba048c9d8dd25c

SHA256
f0e2bfb22d22aed8ac10eff5a010fad081a5798706b3a6fd7764798cab716eb2

SHA512
7c0844d6591b694d77ecf3d070eb3f70fd99427e41d62167aa58c98c1966a8065d90beb82ab0aa0a42bb80edb3c205dd07bb1d4fc03d989a0cb4df8993635fbf

Download Submit
C:\blockcontainerWincrtdll\Sessionperf.exe
Filesize
3.6MB

MD5
bf0f63bb48eb95aaec6fc6a001c974ce

SHA1
19baab2b0c129ecbd6a1aa21bada3e2e5cdd1136

SHA256
bbb080aed81b8f4d0f5d590c7cb0e56e68da5a27d32d964c32e50e1cb2015edc

SHA512
130f08a7c4901ef47e7d21effe83c19fa442f2ade97967c11e646f949a9e8c2c46e8272a31a5b75f6c279009530cd101a562f1ab31a28fe410273cd69bf6c28c

Download Submit
C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat
Filesize
201B

MD5
159297f9e35114bf97d74622097780d8

SHA1
2aaaf993b9ecb9bae43ccd41585734512ff08355

SHA256
650c37c1afde471e40f77d7aec8603382214e9ec318b7f08ab7653f9c4e87f81

SHA512
a82faa2f64caf669d44eac03705e34bea213c9a74ed73950bd8d2158d1c256ca290b7ffece866c3a03c36a091be70d92157353782061e184e5d44ac937949f69

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gdmy2b50\gdmy2b50.0.cs
Filesize
377B

MD5
c463e381806d9ddee0986d85a01d3152

SHA1
2bebf95da69291ae862015e2076cea2cbeaf20ea

SHA256
dc3fbf8a82e44257f152900c10f2039e8780248ef465bba253b4eb8bc8be49ff

SHA512
322fc0e37ea40fd9bf5e86a6a6e875d2fb0365d118e30a426527ebcde2918ee428fb4f17f4bb00649bface66c83fe35000c55fd54888fb5c40800e1e36f3f499

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gdmy2b50\gdmy2b50.cmdline
Filesize
235B

MD5
f243c37966dc759b1160cf7f97712ae0

SHA1
64a8f6e984e8a220eb01475750dc8388e7820e0b

SHA256
2e7104577ddeb1369e0467413263815c598a6e596ec2d5051052c378f55252f8

SHA512
4bcb247741687da6f4bdafcfd251e8fe108b4f7e4f1201ec906b9dc1cc90c839e098d05a7a1be70440f167de660b770ce5abaea16e09af83b2db3af0cd97b100

Download Submit
\??\c:\Windows\System32\CSC38BE72965194422A9CCABE9C03887F.TMP
Filesize
1KB

MD5
9beedc7794aa6283d0dfe66633f0facc

SHA1
51dcbc25b09e1b1eed30d7e7c4ef6d10958b5c71

SHA256
852142ec581e78ed8efae8c1c328654f6bfad35e875f0d815c5f36c23a0fa860

SHA512
d07e046a043b4c4fd8352f0081ee5cad8585eda817f54e3a1025b16d8ac47b5d11409a6f0a3aeadb8ea04797bb7edf7edaa73214cc41f7557baa11406bb90eb4

Download Submit
memory/628-225-0x000001A47DE30000-0x000001A47DE4C000-memory.dmp

Filesize
112KB

Download
memory/628-217-0x000001A47DC00000-0x000001A47DCB5000-memory.dmp

Filesize
724KB

Download
memory/628-240-0x000001A47DE50000-0x000001A47DE56000-memory.dmp

Filesize
24KB

Download
memory/628-241-0x000001A47DE60000-0x000001A47DE6A000-memory.dmp

Filesize
40KB

Download
memory/628-216-0x000001A47DBE0000-0x000001A47DBFC000-memory.dmp

Filesize
112KB

Download
memory/628-219-0x000001A47DCC0000-0x000001A47DCCA000-memory.dmp

Filesize
40KB

Download
memory/628-239-0x000001A47DE20000-0x000001A47DE28000-memory.dmp

Filesize
32KB

Download
memory/628-238-0x000001A47DE70000-0x000001A47DE8A000-memory.dmp

Filesize
104KB

Download
memory/628-237-0x000001A47DE10000-0x000001A47DE1A000-memory.dmp

Filesize
40KB

Download
memory/1760-3-0x00007FFE0FE40000-0x00007FFE10901000-memory.dmp

Filesize
10.8MB

Download
memory/1760-1-0x00007FFE0FE43000-0x00007FFE0FE45000-memory.dmp

Filesize
8KB

Download
memory/1760-2-0x00007FFE0FE40000-0x00007FFE10901000-memory.dmp

Filesize
10.8MB

Download
memory/1760-0-0x0000000000750000-0x00000000007AE000-memory.dmp

Filesize
376KB

Download
memory/1760-32-0x00007FFE0FE40000-0x00007FFE10901000-memory.dmp

Filesize
10.8MB

Download
memory/1796-113-0x00000247A2660000-0x00000247A2682000-memory.dmp

Filesize
136KB

Download
memory/1880-328-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1880-253-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1880-254-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1880-252-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1880-255-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1880-256-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1880-259-0x000001F718990000-0x000001F7189B0000-memory.dmp

Filesize
128KB

Download
memory/1880-261-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1880-263-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1880-262-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1880-260-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1880-258-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1880-257-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1880-264-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1880-294-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1880-295-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1880-327-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1880-326-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2776-245-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2776-244-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2776-251-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2776-247-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2776-248-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2776-246-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2952-67-0x000000001C930000-0x000000001CE58000-memory.dmp

Filesize
5.2MB

Download
memory/2952-60-0x000000001C360000-0x000000001C36C000-memory.dmp

Filesize
48KB

Download
memory/2952-79-0x000000001C420000-0x000000001C430000-memory.dmp

Filesize
64KB

Download
memory/2952-81-0x000000001C430000-0x000000001C43E000-memory.dmp

Filesize
56KB

Download
memory/2952-83-0x000000001C4D0000-0x000000001C4E8000-memory.dmp

Filesize
96KB

Download
memory/2952-85-0x000000001C440000-0x000000001C44C000-memory.dmp

Filesize
48KB

Download
memory/2952-75-0x000000001C470000-0x000000001C4CA000-memory.dmp

Filesize
360KB

Download
memory/2952-87-0x000000001C540000-0x000000001C58E000-memory.dmp

Filesize
312KB

Download
memory/2952-73-0x000000001C400000-0x000000001C410000-memory.dmp

Filesize
64KB

Download
memory/2952-71-0x000000001C3B0000-0x000000001C3C0000-memory.dmp

Filesize
64KB

Download
memory/2952-69-0x000000001C3A0000-0x000000001C3AE000-memory.dmp

Filesize
56KB

Download
memory/2952-148-0x000000001C890000-0x000000001C8FB000-memory.dmp

Filesize
428KB

Download
memory/2952-66-0x000000001C3E0000-0x000000001C3F2000-memory.dmp

Filesize
72KB

Download
memory/2952-64-0x000000001C3C0000-0x000000001C3D6000-memory.dmp

Filesize
88KB

Download
memory/2952-62-0x000000001C370000-0x000000001C380000-memory.dmp

Filesize
64KB

Download
memory/2952-77-0x000000001C410000-0x000000001C41E000-memory.dmp

Filesize
56KB

Download
memory/2952-58-0x000000001C380000-0x000000001C392000-memory.dmp

Filesize
72KB

Download
memory/2952-56-0x000000001C300000-0x000000001C30E000-memory.dmp

Filesize
56KB

Download
memory/2952-54-0x000000001C2D0000-0x000000001C2DE000-memory.dmp

Filesize
56KB

Download
memory/2952-52-0x000000001C2C0000-0x000000001C2D0000-memory.dmp

Filesize
64KB

Download
memory/2952-50-0x000000001B7A0000-0x000000001B7B0000-memory.dmp

Filesize
64KB

Download
memory/2952-37-0x00000000007E0000-0x0000000000B82000-memory.dmp

Filesize
3.6MB

Download
memory/2952-48-0x000000001C2E0000-0x000000001C2F8000-memory.dmp

Filesize
96KB

Download
memory/2952-46-0x000000001B790000-0x000000001B7A0000-memory.dmp

Filesize
64KB

Download
memory/2952-44-0x000000001C310000-0x000000001C360000-memory.dmp

Filesize
320KB

Download
memory/2952-43-0x000000001B7E0000-0x000000001B7FC000-memory.dmp

Filesize
112KB

Download
memory/2952-41-0x000000001B780000-0x000000001B78E000-memory.dmp

Filesize
56KB

Download
memory/2952-39-0x000000001B7B0000-0x000000001B7D6000-memory.dmp

Filesize
152KB

Download
memory/4512-265-0x000000001DD00000-0x000000001DD6B000-memory.dmp

Filesize
428KB

Download