phorphiex | fa8dbfb40bb6a7875b6e2a0cf227e6ccef6ee0e2cc2a69933977a598184360b2

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe
Size

1.2MB
MD5

406a3a86c943033b2d6c31b7d35f7f43
SHA1

cb033b8491f28e3dd14ab94e1a51141c3f6a7774
SHA256

fa8dbfb40bb6a7875b6e2a0cf227e6ccef6ee0e2cc2a69933977a598184360b2
SHA512

ff8552701a083e7c929dba4c03b12fef4dc772935c615a259833639622faf536688f788422b61531257c2a7bb7abe0e500fc7b620b446af7a7993570718b1d04
SSDEEP

24576:gduISHkczHGXR4IKsxo+MbLI6GpwDuk0zex9kr5NIhixZIQnyDqUSQ0gGtIQt:gVcghXIOpwDuk0zejkMhixaYdC0gGtjt

Score

10^/10

phorphiex xmrig evasion loader miner persistence spyware stealer trojan worm

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

http://5.42.96.117/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv

rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw

bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3

bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3

Attributes

mutex
plo7udsa2s
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

syslmgrsvc.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" syslmgrsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	syslmgrsvc.exe

Phorphiex payload 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\2519519120.exe	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

1833433559.exewupgrdsv.exe

description	pid	process	target process
PID 1700 created 1132	1700	1833433559.exe	Explorer.EXE
PID 1700 created 1132	1700	1833433559.exe	Explorer.EXE
PID 832 created 1132	832	wupgrdsv.exe	Explorer.EXE
PID 832 created 1132	832	wupgrdsv.exe	Explorer.EXE

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

syslmgrsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	syslmgrsvc.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/832-279-0x000000013FD00000-0x0000000140276000-memory.dmp	xmrig
behavioral1/memory/2528-285-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/2528-286-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig

Downloads MZ/PE file

Executes dropped EXE 11 IoCs

Processes:

2710.exe2519519120.exesyslmgrsvc.exe3241628178.exe2954916624.exeWindows Security Upgrade Service.exe243047698.exeWindows Security Upgrade Service.exe1833433559.exewupgrdsv.exeWindows Security Upgrade Service.exe

pid	process
2080	2710.exe
2776	2519519120.exe
2220	syslmgrsvc.exe
2824	3241628178.exe
2172	2954916624.exe
2480	Windows Security Upgrade Service.exe
2168	243047698.exe
1888	Windows Security Upgrade Service.exe
1700	1833433559.exe
832	wupgrdsv.exe
2188	Windows Security Upgrade Service.exe

Loads dropped DLL 16 IoCs

Processes:

2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe2710.exe2519519120.exesyslmgrsvc.exe2954916624.exe243047698.exetaskeng.exe

pid	process
1964	2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe
2080	2710.exe
2080	2710.exe
2080	2710.exe
2080	2710.exe
2776	2519519120.exe
2776	2519519120.exe
2220	syslmgrsvc.exe
2220	syslmgrsvc.exe
2220	syslmgrsvc.exe
2172	2954916624.exe
2220	syslmgrsvc.exe
2172	2954916624.exe
2168	243047698.exe
2744	taskeng.exe
2172	2954916624.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

syslmgrsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	syslmgrsvc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2519519120.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\syslmgrsvc.exe"	2519519120.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

wupgrdsv.exe

description pid process target process

PID 832 set thread context of 2528 832 wupgrdsv.exe notepad.exe
Drops file in Windows directory 2 IoCs

Processes:

2519519120.exe

description ioc process

File created C:\Windows\syslmgrsvc.exe 2519519120.exe
File opened for modification C:\Windows\syslmgrsvc.exe 2519519120.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

572 schtasks.exe
2392 schtasks.exe

description	pid	process	target process
PID 832 set thread context of 2528	832	wupgrdsv.exe	notepad.exe

description	ioc	process
File created	C:\Windows\syslmgrsvc.exe	2519519120.exe
File opened for modification	C:\Windows\syslmgrsvc.exe	2519519120.exe

pid	process
572	schtasks.exe
2392	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe1833433559.exepowershell.exewupgrdsv.exepowershell.exe

pid	process
1964	2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe
1964	2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe
1964	2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe
1700	1833433559.exe
1700	1833433559.exe
1928	powershell.exe
1700	1833433559.exe
1700	1833433559.exe
832	wupgrdsv.exe
832	wupgrdsv.exe
2896	powershell.exe
832	wupgrdsv.exe
832	wupgrdsv.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exepowershell.exepowershell.exenotepad.exe

description	pid	process
Token: SeRestorePrivilege	1964	2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe
Token: SeBackupPrivilege	1964	2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeLockMemoryPrivilege	2528	notepad.exe
Token: SeLockMemoryPrivilege	2528	notepad.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

notepad.exe

pid	process
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe

Suspicious use of SendNotifyMessage 25 IoCs

Processes:

notepad.exe

pid	process
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe
2528	notepad.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe2710.exe2519519120.exesyslmgrsvc.exe2954916624.exe243047698.exepowershell.exetaskeng.exepowershell.exewupgrdsv.exe

description	pid	process	target process
PID 1964 wrote to memory of 2080	1964	2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe	2710.exe
PID 1964 wrote to memory of 2080	1964	2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe	2710.exe
PID 1964 wrote to memory of 2080	1964	2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe	2710.exe
PID 1964 wrote to memory of 2080	1964	2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe	2710.exe
PID 1964 wrote to memory of 2080	1964	2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe	2710.exe
PID 1964 wrote to memory of 2080	1964	2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe	2710.exe
PID 1964 wrote to memory of 2080	1964	2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe	2710.exe
PID 2080 wrote to memory of 2776	2080	2710.exe	2519519120.exe
PID 2080 wrote to memory of 2776	2080	2710.exe	2519519120.exe
PID 2080 wrote to memory of 2776	2080	2710.exe	2519519120.exe
PID 2080 wrote to memory of 2776	2080	2710.exe	2519519120.exe
PID 2080 wrote to memory of 2776	2080	2710.exe	2519519120.exe
PID 2080 wrote to memory of 2776	2080	2710.exe	2519519120.exe
PID 2080 wrote to memory of 2776	2080	2710.exe	2519519120.exe
PID 2776 wrote to memory of 2220	2776	2519519120.exe	syslmgrsvc.exe
PID 2776 wrote to memory of 2220	2776	2519519120.exe	syslmgrsvc.exe
PID 2776 wrote to memory of 2220	2776	2519519120.exe	syslmgrsvc.exe
PID 2776 wrote to memory of 2220	2776	2519519120.exe	syslmgrsvc.exe
PID 2776 wrote to memory of 2220	2776	2519519120.exe	syslmgrsvc.exe
PID 2776 wrote to memory of 2220	2776	2519519120.exe	syslmgrsvc.exe
PID 2776 wrote to memory of 2220	2776	2519519120.exe	syslmgrsvc.exe
PID 2220 wrote to memory of 2824	2220	syslmgrsvc.exe	3241628178.exe
PID 2220 wrote to memory of 2824	2220	syslmgrsvc.exe	3241628178.exe
PID 2220 wrote to memory of 2824	2220	syslmgrsvc.exe	3241628178.exe
PID 2220 wrote to memory of 2824	2220	syslmgrsvc.exe	3241628178.exe
PID 2220 wrote to memory of 2172	2220	syslmgrsvc.exe	2954916624.exe
PID 2220 wrote to memory of 2172	2220	syslmgrsvc.exe	2954916624.exe
PID 2220 wrote to memory of 2172	2220	syslmgrsvc.exe	2954916624.exe
PID 2220 wrote to memory of 2172	2220	syslmgrsvc.exe	2954916624.exe
PID 2172 wrote to memory of 2480	2172	2954916624.exe	Windows Security Upgrade Service.exe
PID 2172 wrote to memory of 2480	2172	2954916624.exe	Windows Security Upgrade Service.exe
PID 2172 wrote to memory of 2480	2172	2954916624.exe	Windows Security Upgrade Service.exe
PID 2172 wrote to memory of 2480	2172	2954916624.exe	Windows Security Upgrade Service.exe
PID 2220 wrote to memory of 2168	2220	syslmgrsvc.exe	243047698.exe
PID 2220 wrote to memory of 2168	2220	syslmgrsvc.exe	243047698.exe
PID 2220 wrote to memory of 2168	2220	syslmgrsvc.exe	243047698.exe
PID 2220 wrote to memory of 2168	2220	syslmgrsvc.exe	243047698.exe
PID 2172 wrote to memory of 1888	2172	2954916624.exe	Windows Security Upgrade Service.exe
PID 2172 wrote to memory of 1888	2172	2954916624.exe	Windows Security Upgrade Service.exe
PID 2172 wrote to memory of 1888	2172	2954916624.exe	Windows Security Upgrade Service.exe
PID 2172 wrote to memory of 1888	2172	2954916624.exe	Windows Security Upgrade Service.exe
PID 2168 wrote to memory of 1700	2168	243047698.exe	1833433559.exe
PID 2168 wrote to memory of 1700	2168	243047698.exe	1833433559.exe
PID 2168 wrote to memory of 1700	2168	243047698.exe	1833433559.exe
PID 2168 wrote to memory of 1700	2168	243047698.exe	1833433559.exe
PID 1928 wrote to memory of 572	1928	powershell.exe	schtasks.exe
PID 1928 wrote to memory of 572	1928	powershell.exe	schtasks.exe
PID 1928 wrote to memory of 572	1928	powershell.exe	schtasks.exe
PID 2744 wrote to memory of 832	2744	taskeng.exe	wupgrdsv.exe
PID 2744 wrote to memory of 832	2744	taskeng.exe	wupgrdsv.exe
PID 2744 wrote to memory of 832	2744	taskeng.exe	wupgrdsv.exe
PID 2896 wrote to memory of 2392	2896	powershell.exe	schtasks.exe
PID 2896 wrote to memory of 2392	2896	powershell.exe	schtasks.exe
PID 2896 wrote to memory of 2392	2896	powershell.exe	schtasks.exe
PID 832 wrote to memory of 2528	832	wupgrdsv.exe	notepad.exe
PID 2172 wrote to memory of 2188	2172	2954916624.exe	Windows Security Upgrade Service.exe
PID 2172 wrote to memory of 2188	2172	2954916624.exe	Windows Security Upgrade Service.exe
PID 2172 wrote to memory of 2188	2172	2954916624.exe	Windows Security Upgrade Service.exe
PID 2172 wrote to memory of 2188	2172	2954916624.exe	Windows Security Upgrade Service.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1132

C:\Users\Admin\AppData\Local\Temp\2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_406a3a86c943033b2d6c31b7d35f7f43_avoslocker.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Admin\AppData\Local\Temp\2710.exe
"C:\Users\Admin\AppData\Local\Temp\2710.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080

C:\Users\Admin\AppData\Local\Temp\2519519120.exe
C:\Users\Admin\AppData\Local\Temp\2519519120.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\syslmgrsvc.exe
C:\Windows\syslmgrsvc.exe
5⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:2220

C:\Users\Admin\AppData\Local\Temp\3241628178.exe
C:\Users\Admin\AppData\Local\Temp\3241628178.exe
6⤵
- Executes dropped EXE
PID:2824

C:\Users\Admin\AppData\Local\Temp\2954916624.exe
C:\Users\Admin\AppData\Local\Temp\2954916624.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172

C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"
7⤵
- Executes dropped EXE
PID:2480

C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"
7⤵
- Executes dropped EXE
PID:1888

C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"
7⤵
- Executes dropped EXE
PID:2188

C:\Users\Admin\AppData\Local\Temp\243047698.exe
C:\Users\Admin\AppData\Local\Temp\243047698.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168

C:\Users\Admin\AppData\Local\Temp\1833433559.exe
C:\Users\Admin\AppData\Local\Temp\1833433559.exe
7⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"
3⤵
- Creates scheduled task(s)
PID:572

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
2⤵
PID:1196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"
3⤵
- Creates scheduled task(s)
PID:2392

C:\Windows\System32\notepad.exe
C:\Windows\System32\notepad.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2528

C:\Windows\system32\taskeng.exe
taskeng.exe {45FD5EF0-00C8-45D2-9480-8C69FA97BCD2} S-1-5-21-2737914667-933161113-3798636211-1000:PUMARTNR\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744

C:\Users\Admin\Windows Upgrade\wupgrdsv.exe
"C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2710.exe
Filesize
9KB

MD5
8d8e6c7952a9dc7c0c73911c4dbc5518

SHA1
9098da03b33b2c822065b49d5220359c275d5e94

SHA256
feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278

SHA512
91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645

Download Submit
C:\Users\Admin\AppData\Local\Temp\2931215984.exe
Filesize
80KB

MD5
2ff2bb06682812eeb76628bfbe817fbb

SHA1
18e86614d0f4904e1fe97198ccda34b25aab7dae

SHA256
985da56fb594bf65d8bb993e8e37cd6e78535da6c834945068040faf67e91e7d

SHA512
5cd3b5a1e16202893b08c0ae70d3bcd9e7a49197ebf1ded08e01395202022b3b6c2d8837196ef0415fea6497d928b44e03544b934f8e062ddbb6c6f79fb6f440

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2A7D.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2A9F.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
2f000139bd5b7ad3c6305b098ee29cae

SHA1
8780f621afbee84e67609cd51caed7b9fb6ace28

SHA256
679847334ac25408fc80ed9bf87efce88ff18a47c31f679e8a1e16757378d507

SHA512
cd6ba4c7acd456333a5802ea87fe9a18838c9b58e7689097767017be2e9600a37f1f1e356c6570363799edffc45c74a7482d23485f27f9eab2ac17460363b956

Download Submit
\Users\Admin\AppData\Local\Temp\1833433559.exe
Filesize
5.4MB

MD5
41ab08c1955fce44bfd0c76a64d1945a

SHA1
2b9cb05f4de5d98c541d15175d7f0199cbdd0eea

SHA256
dd12cb27b3867341bf6ca48715756500d3ec56c19b21bb1c1290806aa74cb493

SHA512
38834ae703a8541b4fec9a1db94cfe296ead58649bb1d4873b517df14d0c6a9d25e49ff04c2bf6bb0188845116a4e894aae930d849f9be8c98d2ce51da1ef116

Download Submit
\Users\Admin\AppData\Local\Temp\243047698.exe
Filesize
10KB

MD5
c8cf446ead193a3807472fbd294c5f23

SHA1
2162f28c919222f75ce5f52e4bb1155255ae5368

SHA256
e5d12658a690c62af7d4fc7b26735affc7210e3bfb6b2241de1bf90aebdc0717

SHA512
fc94014fabf204ecd57990db4b05b81cbda0a314b621cbfa755296ddf5493ec55fb129d12eff5f92863d9f1d7fea679dc2aeb62baf898791448cb4fe34b595c1

Download Submit
\Users\Admin\AppData\Local\Temp\2519519120.exe
Filesize
93KB

MD5
a318cc45e79498b93e40d5e5b9b76be4

SHA1
4ebc9969cc3c330741c377e22a5fb0cdb8ce5fd5

SHA256
4b4e596641d0dd9eece8a24556fd1246056cbc315a79675a7400927858bbd7c2

SHA512
3131d627837a3cafdf532173ccadd4beff933ee3d5e050366153434b1394c4d57056b4d273ddb826a1a0478caa83e1f6e095e83366102ae1d3705ab2d3ec0e2c

Download Submit
\Users\Admin\AppData\Local\Temp\2954916624.exe
Filesize
10KB

MD5
47340d40e7f73e62cf09ac60fd16ad68

SHA1
effd38f6561155802d3e5090f5714589eae5ce6e

SHA256
e8a0c46342abd882318dbfdb17b7d3cb93d7138564878a15c5b91229ed81689c

SHA512
2d5fbacad67eba3c42c2be95c3bf64d787d15cf96d5afe827d6f9bdb175295859e684202ff5afc773202f4b9d0b3135e913c997bbe72026cd7a7ca96ecf5aa08

Download Submit
\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe
Filesize
20KB

MD5
de36bc2bfc3c67820ebd75c912fadc3d

SHA1
38bd51e1052ae5bede5293827e87d6f494b204c8

SHA256
2a5083d6e55f5cb56764fc4ed7ad082a0ef75a908ed03132178cc80f802c3d16

SHA512
efbc8a797e95f00c142c4c02c2f3faf4f46fabcdcd1a99d81df7581244a22f0b81f846d15de3b5f4b6d323deff555fd569db57aff3171ffebf27c03e4d53e6ef

Download Submit
memory/832-279-0x000000013FD00000-0x0000000140276000-memory.dmp

Filesize
5.5MB

Download
memory/1700-266-0x000000013FDF0000-0x0000000140366000-memory.dmp

Filesize
5.5MB

Download
memory/1928-263-0x0000000001D60000-0x0000000001D68000-memory.dmp

Filesize
32KB

Download
memory/1928-262-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/2528-280-0x0000000000130000-0x0000000000150000-memory.dmp

Filesize
128KB

Download
memory/2528-285-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2528-286-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/2896-275-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2896-276-0x0000000001E40000-0x0000000001E48000-memory.dmp

Filesize
32KB

Download