xmrig | fbfa20ca6337fbe8f71ebab5e3328af667b9e9f4ad56ec7669e502f19e4f6905

Resubmissions

14-05-2024 11:56

240514-n323naef94 3

14-05-2024 11:35

240514-nqfc5adg51 10

Analysis

max time kernel
149s
max time network
148s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
14-05-2024 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

353KB
MD5

da4a981460566d93b7c25f1527c5d321
SHA1

ad0dc4e6192057d2f80b080741cdfea83c399a0b
SHA256

fbfa20ca6337fbe8f71ebab5e3328af667b9e9f4ad56ec7669e502f19e4f6905
SHA512

06d57ca29fb36c3c17f275485a69e58d3bb51a543f7dc96945122ad2108967a7995373ead8ce86eb9efc8131e1ae41dd2ac62cd02acb1933eac494e1ba1c6c93
SSDEEP

6144:ujwCtJxxb+fFgfWNIQudUChHCDomqrnBTcqRVhh69NhSzN+9Im:ujwC/xxpONIFFHCDVqpcqpc9zZO

Score

10^/10

xmrig zgrat evasion execution miner persistence rat spyware stealer upx

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Checker.exe	family_zgrat_v1
C:\blockcontainerWincrtdll\Sessionperf.exe	family_zgrat_v1
behavioral1/memory/4992-30-0x0000000000DC0000-0x0000000001162000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Sessionperf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\dllhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Windows\\Fonts\\SearchUI.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Windows\\Fonts\\SearchUI.exe\", \"C:\\Users\\All Users\\ShellExperienceHost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Windows\\Fonts\\SearchUI.exe\", \"C:\\Users\\All Users\\ShellExperienceHost.exe\", \"C:\\Windows\\ELAMBKUP\\SearchUI.exe\""	Sessionperf.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4076	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4116	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3704	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	2632	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	2632	schtasks.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1052-565-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1052-571-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1052-568-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1052-569-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1052-570-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1052-567-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1052-564-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1052-595-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1052-596-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

2620 powershell.exe
4636 powershell.exe
4652 powershell.exe
752 powershell.exe
4908 powershell.exe
5072 powershell.exe
4696 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 5 IoCs

Processes:

Checker.exeUtility.exeSessionperf.exeSearchUI.exelhhsgwktkatl.exe

pid process

1340 Checker.exe
4904 Utility.exe
4992 Sessionperf.exe
1484 SearchUI.exe
796 lhhsgwktkatl.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2620	powershell.exe
4636	powershell.exe
4652	powershell.exe
752	powershell.exe
4908	powershell.exe
5072	powershell.exe
4696	powershell.exe

pid	process
1340	Checker.exe
4904	Utility.exe
4992	Sessionperf.exe
1484	SearchUI.exe
796	lhhsgwktkatl.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1052-562-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1052-563-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1052-565-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1052-571-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1052-568-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1052-569-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1052-570-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1052-567-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1052-564-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1052-560-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1052-561-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1052-559-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1052-595-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1052-596-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Sessionperf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchUI = "\"C:\\Windows\\ELAMBKUP\\SearchUI.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\dllhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\SearchUI = "\"C:\\Windows\\Fonts\\SearchUI.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ShellExperienceHost = "\"C:\\Users\\All Users\\ShellExperienceHost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\SearchUI = "\"C:\\Windows\\ELAMBKUP\\SearchUI.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\dllhost.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchUI = "\"C:\\Windows\\Fonts\\SearchUI.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\ShellExperienceHost = "\"C:\\Users\\All Users\\ShellExperienceHost.exe\""	Sessionperf.exe

Drops file in System32 directory 7 IoCs

Processes:

Sessionperf.execsc.exeUtility.exepowershell.exelhhsgwktkatl.exe

description	ioc	process
File created	C:\Windows\System32\dllhost.exe	Sessionperf.exe
File created	\??\c:\Windows\System32\CSC79B5F84164214786884E3EAD95D278F.TMP	csc.exe
File created	\??\c:\Windows\System32\iv1hm7.exe	csc.exe
File opened for modification	C:\Windows\system32\MRT.exe	Utility.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	lhhsgwktkatl.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

lhhsgwktkatl.exe

description	pid	process	target process
PID 796 set thread context of 4556	796	lhhsgwktkatl.exe	conhost.exe
PID 796 set thread context of 1052	796	lhhsgwktkatl.exe	conhost.exe

Drops file in Program Files directory 3 IoCs

Processes:

Sessionperf.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\dllhost.exe	Sessionperf.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\5940a34987c991	Sessionperf.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\dllhost.exe	Sessionperf.exe

Drops file in Windows directory 4 IoCs

Processes:

Sessionperf.exe

description	ioc	process
File created	C:\Windows\ELAMBKUP\SearchUI.exe	Sessionperf.exe
File created	C:\Windows\ELAMBKUP\dab4d89cac03ec	Sessionperf.exe
File created	C:\Windows\Fonts\SearchUI.exe	Sessionperf.exe
File created	C:\Windows\Fonts\dab4d89cac03ec	Sessionperf.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

4672 sc.exe
1632 sc.exe
4664 sc.exe
3632 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4672	sc.exe
1632	sc.exe
4664	sc.exe
3632	sc.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1968	schtasks.exe
3704	schtasks.exe
4924	schtasks.exe
636	schtasks.exe
2980	schtasks.exe
2348	schtasks.exe
4116	schtasks.exe
1312	schtasks.exe
3048	schtasks.exe
4364	schtasks.exe
4076	schtasks.exe
4468	schtasks.exe
5056	schtasks.exe
3464	schtasks.exe
828	schtasks.exe

Modifies data under HKEY_USERS 47 IoCs

Processes:

powershell.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe

Modifies registry class 2 IoCs

Processes:

Checker.exeSessionperf.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	Checker.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	Sessionperf.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4976 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3480 PING.EXE

pid	process
4976	reg.exe

pid	process
3480	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Sessionperf.exe

pid	process
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe
4992	Sessionperf.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

SearchUI.exe

pid process

1484 SearchUI.exe

pid	process
1484	SearchUI.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Loader.exeSessionperf.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4740	Loader.exe
Token: SeDebugPrivilege	4992	Sessionperf.exe
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	4652	powershell.exe
Token: SeDebugPrivilege	4696	powershell.exe
Token: SeIncreaseQuotaPrivilege	2620	powershell.exe
Token: SeSecurityPrivilege	2620	powershell.exe
Token: SeTakeOwnershipPrivilege	2620	powershell.exe
Token: SeLoadDriverPrivilege	2620	powershell.exe
Token: SeSystemProfilePrivilege	2620	powershell.exe
Token: SeSystemtimePrivilege	2620	powershell.exe
Token: SeProfSingleProcessPrivilege	2620	powershell.exe
Token: SeIncBasePriorityPrivilege	2620	powershell.exe
Token: SeCreatePagefilePrivilege	2620	powershell.exe
Token: SeBackupPrivilege	2620	powershell.exe
Token: SeRestorePrivilege	2620	powershell.exe
Token: SeShutdownPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeSystemEnvironmentPrivilege	2620	powershell.exe
Token: SeRemoteShutdownPrivilege	2620	powershell.exe
Token: SeUndockPrivilege	2620	powershell.exe
Token: SeManageVolumePrivilege	2620	powershell.exe
Token: 33	2620	powershell.exe
Token: 34	2620	powershell.exe
Token: 35	2620	powershell.exe
Token: 36	2620	powershell.exe
Token: SeIncreaseQuotaPrivilege	4652	powershell.exe
Token: SeSecurityPrivilege	4652	powershell.exe
Token: SeTakeOwnershipPrivilege	4652	powershell.exe
Token: SeLoadDriverPrivilege	4652	powershell.exe
Token: SeSystemProfilePrivilege	4652	powershell.exe
Token: SeSystemtimePrivilege	4652	powershell.exe
Token: SeProfSingleProcessPrivilege	4652	powershell.exe
Token: SeIncBasePriorityPrivilege	4652	powershell.exe
Token: SeCreatePagefilePrivilege	4652	powershell.exe
Token: SeBackupPrivilege	4652	powershell.exe
Token: SeRestorePrivilege	4652	powershell.exe
Token: SeShutdownPrivilege	4652	powershell.exe
Token: SeDebugPrivilege	4652	powershell.exe
Token: SeSystemEnvironmentPrivilege	4652	powershell.exe
Token: SeRemoteShutdownPrivilege	4652	powershell.exe
Token: SeUndockPrivilege	4652	powershell.exe
Token: SeManageVolumePrivilege	4652	powershell.exe
Token: 33	4652	powershell.exe
Token: 34	4652	powershell.exe
Token: 35	4652	powershell.exe
Token: 36	4652	powershell.exe
Token: SeIncreaseQuotaPrivilege	752	powershell.exe
Token: SeSecurityPrivilege	752	powershell.exe
Token: SeTakeOwnershipPrivilege	752	powershell.exe
Token: SeLoadDriverPrivilege	752	powershell.exe
Token: SeSystemProfilePrivilege	752	powershell.exe
Token: SeSystemtimePrivilege	752	powershell.exe
Token: SeProfSingleProcessPrivilege	752	powershell.exe
Token: SeIncBasePriorityPrivilege	752	powershell.exe
Token: SeCreatePagefilePrivilege	752	powershell.exe
Token: SeBackupPrivilege	752	powershell.exe
Token: SeRestorePrivilege	752	powershell.exe
Token: SeShutdownPrivilege	752	powershell.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeSystemEnvironmentPrivilege	752	powershell.exe
Token: SeRemoteShutdownPrivilege	752	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SearchUI.exe

pid process

1484 SearchUI.exe

pid	process
1484	SearchUI.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

Loader.exeChecker.exeWScript.execmd.exeSessionperf.execsc.execmd.execmd.exelhhsgwktkatl.execmd.exe

description	pid	process	target process
PID 4740 wrote to memory of 1340	4740	Loader.exe	Checker.exe
PID 4740 wrote to memory of 1340	4740	Loader.exe	Checker.exe
PID 4740 wrote to memory of 1340	4740	Loader.exe	Checker.exe
PID 1340 wrote to memory of 1408	1340	Checker.exe	WScript.exe
PID 1340 wrote to memory of 1408	1340	Checker.exe	WScript.exe
PID 1340 wrote to memory of 1408	1340	Checker.exe	WScript.exe
PID 4740 wrote to memory of 4904	4740	Loader.exe	Utility.exe
PID 4740 wrote to memory of 4904	4740	Loader.exe	Utility.exe
PID 1408 wrote to memory of 4048	1408	WScript.exe	cmd.exe
PID 1408 wrote to memory of 4048	1408	WScript.exe	cmd.exe
PID 1408 wrote to memory of 4048	1408	WScript.exe	cmd.exe
PID 4048 wrote to memory of 4976	4048	cmd.exe	reg.exe
PID 4048 wrote to memory of 4976	4048	cmd.exe	reg.exe
PID 4048 wrote to memory of 4976	4048	cmd.exe	reg.exe
PID 4048 wrote to memory of 4992	4048	cmd.exe	Sessionperf.exe
PID 4048 wrote to memory of 4992	4048	cmd.exe	Sessionperf.exe
PID 4992 wrote to memory of 3288	4992	Sessionperf.exe	csc.exe
PID 4992 wrote to memory of 3288	4992	Sessionperf.exe	csc.exe
PID 3288 wrote to memory of 4108	3288	csc.exe	cvtres.exe
PID 3288 wrote to memory of 4108	3288	csc.exe	cvtres.exe
PID 4992 wrote to memory of 752	4992	Sessionperf.exe	powershell.exe
PID 4992 wrote to memory of 752	4992	Sessionperf.exe	powershell.exe
PID 4992 wrote to memory of 4652	4992	Sessionperf.exe	powershell.exe
PID 4992 wrote to memory of 4652	4992	Sessionperf.exe	powershell.exe
PID 4992 wrote to memory of 4636	4992	Sessionperf.exe	powershell.exe
PID 4992 wrote to memory of 4636	4992	Sessionperf.exe	powershell.exe
PID 4992 wrote to memory of 2620	4992	Sessionperf.exe	powershell.exe
PID 4992 wrote to memory of 2620	4992	Sessionperf.exe	powershell.exe
PID 4992 wrote to memory of 4696	4992	Sessionperf.exe	powershell.exe
PID 4992 wrote to memory of 4696	4992	Sessionperf.exe	powershell.exe
PID 4992 wrote to memory of 2892	4992	Sessionperf.exe	cmd.exe
PID 4992 wrote to memory of 2892	4992	Sessionperf.exe	cmd.exe
PID 2892 wrote to memory of 1928	2892	cmd.exe	chcp.com
PID 2892 wrote to memory of 1928	2892	cmd.exe	chcp.com
PID 2892 wrote to memory of 3480	2892	cmd.exe	PING.EXE
PID 2892 wrote to memory of 3480	2892	cmd.exe	PING.EXE
PID 2892 wrote to memory of 1484	2892	cmd.exe	SearchUI.exe
PID 2892 wrote to memory of 1484	2892	cmd.exe	SearchUI.exe
PID 3492 wrote to memory of 4396	3492	cmd.exe	wusa.exe
PID 3492 wrote to memory of 4396	3492	cmd.exe	wusa.exe
PID 796 wrote to memory of 4556	796	lhhsgwktkatl.exe	conhost.exe
PID 796 wrote to memory of 4556	796	lhhsgwktkatl.exe	conhost.exe
PID 796 wrote to memory of 4556	796	lhhsgwktkatl.exe	conhost.exe
PID 796 wrote to memory of 4556	796	lhhsgwktkatl.exe	conhost.exe
PID 796 wrote to memory of 4556	796	lhhsgwktkatl.exe	conhost.exe
PID 796 wrote to memory of 4556	796	lhhsgwktkatl.exe	conhost.exe
PID 796 wrote to memory of 4556	796	lhhsgwktkatl.exe	conhost.exe
PID 796 wrote to memory of 4556	796	lhhsgwktkatl.exe	conhost.exe
PID 796 wrote to memory of 4556	796	lhhsgwktkatl.exe	conhost.exe
PID 796 wrote to memory of 1052	796	lhhsgwktkatl.exe	conhost.exe
PID 796 wrote to memory of 1052	796	lhhsgwktkatl.exe	conhost.exe
PID 796 wrote to memory of 1052	796	lhhsgwktkatl.exe	conhost.exe
PID 796 wrote to memory of 1052	796	lhhsgwktkatl.exe	conhost.exe
PID 5012 wrote to memory of 3956	5012	cmd.exe	wusa.exe
PID 5012 wrote to memory of 3956	5012	cmd.exe	wusa.exe
PID 796 wrote to memory of 1052	796	lhhsgwktkatl.exe	conhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740

C:\Users\Admin\AppData\Local\Temp\Checker.exe
"C:\Users\Admin\AppData\Local\Temp\Checker.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
5⤵
- Modifies registry key
PID:4976

C:\blockcontainerWincrtdll\Sessionperf.exe
"C:\blockcontainerWincrtdll/Sessionperf.exe"
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ryud1yev\ryud1yev.cmdline"
6⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3288

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7CA2.tmp" "c:\Windows\System32\CSC79B5F84164214786884E3EAD95D278F.TMP"
7⤵
PID:4108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\dllhost.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\SearchUI.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\ShellExperienceHost.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ELAMBKUP\SearchUI.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z69iCHKQNJ.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:2892

C:\Windows\system32\chcp.com
chcp 65001
7⤵
PID:1928

C:\Windows\system32\PING.EXE
ping -n 10 localhost
7⤵
- Runs ping.exe
PID:3480

C:\Windows\Fonts\SearchUI.exe
"C:\Windows\Fonts\SearchUI.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1484

C:\Users\Admin\AppData\Local\Temp\Utility.exe
"C:\Users\Admin\AppData\Local\Temp\Utility.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4904

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
3⤵
- Command and Scripting Interpreter: PowerShell
PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
3⤵
- Suspicious use of WriteProcessMemory
PID:3492

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
4⤵
PID:4396

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
PID:4324

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
PID:1304

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
PID:1500

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
PID:3456

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "QHRAJGDI"
3⤵
- Launches sc.exe
PID:4672

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "QHRAJGDI" binpath= "C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe" start= "auto"
3⤵
- Launches sc.exe
PID:1632

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:4664

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "QHRAJGDI"
3⤵
- Launches sc.exe
PID:3632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 12 /tr "'C:\Windows\Fonts\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Windows\Fonts\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 9 /tr "'C:\Windows\Fonts\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\ShellExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Users\All Users\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\ShellExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 13 /tr "'C:\Windows\ELAMBKUP\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Windows\ELAMBKUP\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 14 /tr "'C:\Windows\ELAMBKUP\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5056

C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:796

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:3956

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
PID:4848

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
PID:1996

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
PID:4736

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
PID:880

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:4556

C:\Windows\system32\conhost.exe
conhost.exe
2⤵
PID:1052

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
50222fbf254a03f9a4c888ccb48819e6

SHA1
69b96bfdcd83f671372c2c260a53abd2d5d1321c

SHA256
acc2b4295aabc11156f83bd1e55b06358d15f9e34a698c1d4f81517730a0edf3

SHA512
a9f52459140179287067787eeb1708207f0c5d3fd62a822d5fded068449a02b31c6dc60b6ef50f215306c9d789a8214a0fdcb2d31b5eae0cfdd741c6e15cb2fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
cc3b432ef5e0218aafcad5b72713c7e6

SHA1
aab4ecdc5cfc1e356fd6f1373317c0d6179a756e

SHA256
4c8ac3a1d50418d156c737a13a5030fd78f6dc203806a520117643aa5ab7dbdb

SHA512
bdb7fbc888ff3bf5991e007797a3d6b8d5019ffe942f2f17d00f39e57fd4ab9788e798cd3c06eccab8e1ed5def2243a2dc110804a159bf128228dadff69efea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Checker.exe
Filesize
3.9MB

MD5
1003b37d9d942d41a38a83670eaa285c

SHA1
a4ee7ef69fc681caf1116d59578667abb9080ad6

SHA256
d822b616ee7e10b00fead9be9eb0cf9780fdb0b3fec3001ff31c9ce0cb7255ae

SHA512
0c6f4e063cc22ee3c076c95bf5ea1cb593e5b6f40e4f2b8d3723a5c18c14eeecf568dad2a16599967c56588f4918cecd996e475fd20615b07c99de4800309f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7CA2.tmp
Filesize
1KB

MD5
264336e70f56d76d5f6e44adbb373670

SHA1
e52218e5a6dd6251bf78aebee36ff18014d1c845

SHA256
afa3021dbcea019f488e70ff6e15d81a739a708e3e09de8a84c0cde18c269a01

SHA512
1bf541bf8aefaebccb902b0812900859901d35c253d0f3d737dd52a9a2a6f0f59f660ce6dfe0afdcd59f6bed17db5e430f629cd85e8a9e1b64b36b0c9e243850

Download Submit
C:\Users\Admin\AppData\Local\Temp\Utility.exe
Filesize
5.0MB

MD5
b1ac2ea973651a70ea72597e13a10f0a

SHA1
07e7cdedc54067a46b1d42cdf8a2c9050c3d3419

SHA256
e2cb500c902da55ac07cbfbe30b8d1cef8781e55f0439ed601672636c3ab8c47

SHA512
02b0dbc8a31ca440027a6c07d618a92bb520567ccd338c28dfcb86faa5b56c866564cf1a05b1754dcfeb252d12d76da57fd2de87804454f0ef1097431764c1f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xxtn5x42.v1c.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\z69iCHKQNJ.bat
Filesize
157B

MD5
d3dfd4d3c4d151e0330ec389f7f69d2d

SHA1
c300653d370019b592dc96f94abd0e23e78e7b80

SHA256
f34d7228022f69fef13ae9775b1f3c09bb3eb40eab970f8f3336ecc89e618ed8

SHA512
28c1502e5aff643f689f9a3b7148b5807434d4de026fb26f5016dd91ca84a1d461cff4efb942782228c9431c95d2e81fa7474176afeabb07fbc37adde18a415d

Download Submit
C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe
Filesize
228B

MD5
4f702b152f4098393712e3fe99b04fbd

SHA1
fec2f913e1fac5053127e175f1ba048c9d8dd25c

SHA256
f0e2bfb22d22aed8ac10eff5a010fad081a5798706b3a6fd7764798cab716eb2

SHA512
7c0844d6591b694d77ecf3d070eb3f70fd99427e41d62167aa58c98c1966a8065d90beb82ab0aa0a42bb80edb3c205dd07bb1d4fc03d989a0cb4df8993635fbf

Download Submit
C:\blockcontainerWincrtdll\Sessionperf.exe
Filesize
3.6MB

MD5
bf0f63bb48eb95aaec6fc6a001c974ce

SHA1
19baab2b0c129ecbd6a1aa21bada3e2e5cdd1136

SHA256
bbb080aed81b8f4d0f5d590c7cb0e56e68da5a27d32d964c32e50e1cb2015edc

SHA512
130f08a7c4901ef47e7d21effe83c19fa442f2ade97967c11e646f949a9e8c2c46e8272a31a5b75f6c279009530cd101a562f1ab31a28fe410273cd69bf6c28c

Download Submit
C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat
Filesize
201B

MD5
159297f9e35114bf97d74622097780d8

SHA1
2aaaf993b9ecb9bae43ccd41585734512ff08355

SHA256
650c37c1afde471e40f77d7aec8603382214e9ec318b7f08ab7653f9c4e87f81

SHA512
a82faa2f64caf669d44eac03705e34bea213c9a74ed73950bd8d2158d1c256ca290b7ffece866c3a03c36a091be70d92157353782061e184e5d44ac937949f69

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ryud1yev\ryud1yev.0.cs
Filesize
418B

MD5
60ded119b176ce3d3204e13b1f2ce8fc

SHA1
f0eec283ad4f26cd87e7af93877ea67a64b73fd3

SHA256
0cb2a16690abbee944df5a7dda7d9dddde2efa766f11ef5dcd9dd4cafe28ee80

SHA512
dd0ca1a9484c8f850dcdb5c49ed85584e5512b3198fe1466a0670e4de993805f65010c12f3f44cd15b7a784a45da7e0729197fe44bb252acdeaa3f27e82d9a8f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ryud1yev\ryud1yev.cmdline
Filesize
235B

MD5
edabe3e0c5856c406f50b1344d5d8436

SHA1
9bd2c98266681c7b8b6fe5e65e65b20b23b8f5ae

SHA256
b7061debbe185ed2af5323c789e143bedf676d6077fb2762c14dcab143993549

SHA512
001aaf7bbbfe9dcfbdaf4fd83ee5d42ca94a29d7f16be85af20f4a6e5861ae02c2762757f619aea99a973ea704ce70297d691ff083c6d10f0099ead9bafec844

Download Submit
\??\c:\Windows\System32\CSC79B5F84164214786884E3EAD95D278F.TMP
Filesize
1KB

MD5
3c6c119719d31b50de7f452089335017

SHA1
39745ce249441d338a04ebee3416883e474e8a6c

SHA256
efed7ec431027985049e064afc49fe3e927b1be472c98f5cf89838989f0a019f

SHA512
673f6b8ab4d2a131f559fd7506f8ccd0fd374dcaaa1b6951213023dbc2dba7e3fa797b482cdc0d26990fc864f2c8473d2245abc5ebb976a704f7da06f6fe5d31

Download Submit
memory/1052-561-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1052-565-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1052-596-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1052-595-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1052-562-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1052-559-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1052-563-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1052-560-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1052-564-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1052-567-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1052-570-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1052-569-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1052-568-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1052-571-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1052-566-0x00000295765A0000-0x00000295765C0000-memory.dmp

Filesize
128KB

Download
memory/1484-574-0x000000001C450000-0x000000001C4EE000-memory.dmp

Filesize
632KB

Download
memory/2620-131-0x0000025ECBCB0000-0x0000025ECBD26000-memory.dmp

Filesize
472KB

Download
memory/4556-555-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4556-558-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4556-552-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4556-553-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4556-554-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4556-551-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4636-127-0x000002BFA9330000-0x000002BFA9352000-memory.dmp

Filesize
136KB

Download
memory/4740-0-0x0000000000E10000-0x0000000000E6E000-memory.dmp

Filesize
376KB

Download
memory/4740-25-0x00007FFAB0570000-0x00007FFAB0F5C000-memory.dmp

Filesize
9.9MB

Download
memory/4740-3-0x00007FFAB0570000-0x00007FFAB0F5C000-memory.dmp

Filesize
9.9MB

Download
memory/4740-2-0x00007FFAB0570000-0x00007FFAB0F5C000-memory.dmp

Filesize
9.9MB

Download
memory/4740-1-0x00007FFAB0573000-0x00007FFAB0574000-memory.dmp

Filesize
4KB

Download
memory/4992-45-0x00000000032E0000-0x00000000032F0000-memory.dmp

Filesize
64KB

Download
memory/4992-47-0x00000000032F0000-0x00000000032FE000-memory.dmp

Filesize
56KB

Download
memory/4992-80-0x000000001C250000-0x000000001C29E000-memory.dmp

Filesize
312KB

Download
memory/4992-78-0x000000001C150000-0x000000001C15C000-memory.dmp

Filesize
48KB

Download
memory/4992-76-0x000000001C1E0000-0x000000001C1F8000-memory.dmp

Filesize
96KB

Download
memory/4992-74-0x000000001C140000-0x000000001C14E000-memory.dmp

Filesize
56KB

Download
memory/4992-30-0x0000000000DC0000-0x0000000001162000-memory.dmp

Filesize
3.6MB

Download
memory/4992-32-0x0000000003280000-0x00000000032A6000-memory.dmp

Filesize
152KB

Download
memory/4992-34-0x0000000003250000-0x000000000325E000-memory.dmp

Filesize
56KB

Download
memory/4992-72-0x000000001C130000-0x000000001C140000-memory.dmp

Filesize
64KB

Download
memory/4992-70-0x000000001C120000-0x000000001C12E000-memory.dmp

Filesize
56KB

Download
memory/4992-68-0x000000001C180000-0x000000001C1DA000-memory.dmp

Filesize
360KB

Download
memory/4992-66-0x000000001BEC0000-0x000000001BED0000-memory.dmp

Filesize
64KB

Download
memory/4992-64-0x000000001BEB0000-0x000000001BEC0000-memory.dmp

Filesize
64KB

Download
memory/4992-62-0x00000000033A0000-0x00000000033AE000-memory.dmp

Filesize
56KB

Download
memory/4992-60-0x000000001C650000-0x000000001CB76000-memory.dmp

Filesize
5.1MB

Download
memory/4992-59-0x000000001C100000-0x000000001C112000-memory.dmp

Filesize
72KB

Download
memory/4992-57-0x000000001C0E0000-0x000000001C0F6000-memory.dmp

Filesize
88KB

Download
memory/4992-53-0x0000000003380000-0x000000000338C000-memory.dmp

Filesize
48KB

Download
memory/4992-55-0x0000000003390000-0x00000000033A0000-memory.dmp

Filesize
64KB

Download
memory/4992-51-0x000000001BE90000-0x000000001BEA2000-memory.dmp

Filesize
72KB

Download
memory/4992-49-0x0000000003320000-0x000000000332E000-memory.dmp

Filesize
56KB

Download
memory/4992-142-0x000000001CE80000-0x000000001CF1E000-memory.dmp

Filesize
632KB

Download
memory/4992-43-0x0000000003270000-0x0000000003280000-memory.dmp

Filesize
64KB

Download
memory/4992-41-0x0000000003300000-0x0000000003318000-memory.dmp

Filesize
96KB

Download
memory/4992-39-0x0000000003260000-0x0000000003270000-memory.dmp

Filesize
64KB

Download
memory/4992-37-0x0000000003330000-0x0000000003380000-memory.dmp

Filesize
320KB

Download
memory/4992-36-0x00000000032B0000-0x00000000032CC000-memory.dmp

Filesize
112KB

Download
memory/5072-462-0x000001CE477D0000-0x000001CE477DA000-memory.dmp

Filesize
40KB

Download
memory/5072-429-0x000001CE47CA0000-0x000001CE47D59000-memory.dmp

Filesize
740KB

Download
memory/5072-423-0x000001CE477B0000-0x000001CE477CC000-memory.dmp

Filesize
112KB

Download