phorphiex | 4b4e596641d0dd9eece8a24556fd1246056cbc315a79675a7400927858bbd7c2

Analysis

max time kernel
300s
max time network
299s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

336488519.exe
Size

93KB
MD5

a318cc45e79498b93e40d5e5b9b76be4
SHA1

4ebc9969cc3c330741c377e22a5fb0cdb8ce5fd5
SHA256

4b4e596641d0dd9eece8a24556fd1246056cbc315a79675a7400927858bbd7c2
SHA512

3131d627837a3cafdf532173ccadd4beff933ee3d5e050366153434b1394c4d57056b4d273ddb826a1a0478caa83e1f6e095e83366102ae1d3705ab2d3ec0e2c
SSDEEP

1536:zL0IGzbFmav82I3dTCPu0864k/+ELInCSA+HK:30poOPPuRxk/jr+HK

Score

10^/10

phorphiex xmrig evasion loader miner persistence spyware stealer trojan worm

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

syslmgrsvc.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" syslmgrsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	syslmgrsvc.exe

Phorphiex payload 1 IoCs

Processes:

resource	yara_rule
C:\Windows\syslmgrsvc.exe	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

3409239910.exewupgrdsv.exe

description	pid	process	target process
PID 1124 created 1156	1124	3409239910.exe	Explorer.EXE
PID 1124 created 1156	1124	3409239910.exe	Explorer.EXE
PID 1904 created 1156	1904	wupgrdsv.exe	Explorer.EXE
PID 1904 created 1156	1904	wupgrdsv.exe	Explorer.EXE

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

syslmgrsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	syslmgrsvc.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 12 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1904-90-0x000000013F940000-0x000000013FEB6000-memory.dmp	xmrig
behavioral1/memory/1332-96-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1332-97-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1332-98-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1332-100-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1332-101-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1332-102-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1332-103-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1332-104-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1332-119-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1332-121-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1332-122-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig

Downloads MZ/PE file

Executes dropped EXE 10 IoCs

Processes:

syslmgrsvc.exe518427069.exe2351722770.exeWindows Security Upgrade Service.exe2640713896.exe3409239910.exeWindows Security Upgrade Service.exewupgrdsv.exeWindows Security Upgrade Service.exe2081528148.exe

pid	process
2580	syslmgrsvc.exe
2448	518427069.exe
1364	2351722770.exe
1680	Windows Security Upgrade Service.exe
384	2640713896.exe
1124	3409239910.exe
1944	Windows Security Upgrade Service.exe
1904	wupgrdsv.exe
2928	Windows Security Upgrade Service.exe
1020	2081528148.exe

Loads dropped DLL 10 IoCs

Processes:

syslmgrsvc.exe2351722770.exe2640713896.exetaskeng.exe

pid	process
2580	syslmgrsvc.exe
2580	syslmgrsvc.exe
2580	syslmgrsvc.exe
1364	2351722770.exe
2580	syslmgrsvc.exe
384	2640713896.exe
1364	2351722770.exe
1296	taskeng.exe
1364	2351722770.exe
2580	syslmgrsvc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

syslmgrsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	syslmgrsvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	syslmgrsvc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

336488519.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\syslmgrsvc.exe"	336488519.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

wupgrdsv.exe

description pid process target process

PID 1904 set thread context of 1332 1904 wupgrdsv.exe notepad.exe
Drops file in Windows directory 2 IoCs

Processes:

336488519.exe

description ioc process

File opened for modification C:\Windows\syslmgrsvc.exe 336488519.exe
File created C:\Windows\syslmgrsvc.exe 336488519.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1896 schtasks.exe
1976 schtasks.exe

description	pid	process	target process
PID 1904 set thread context of 1332	1904	wupgrdsv.exe	notepad.exe

description	ioc	process
File opened for modification	C:\Windows\syslmgrsvc.exe	336488519.exe
File created	C:\Windows\syslmgrsvc.exe	336488519.exe

pid	process
1896	schtasks.exe
1976	schtasks.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

taskmgr.exe3409239910.exepowershell.exewupgrdsv.exepowershell.exe

pid	process
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1124	3409239910.exe
1124	3409239910.exe
1624	powershell.exe
1124	3409239910.exe
1124	3409239910.exe
1904	wupgrdsv.exe
1904	wupgrdsv.exe
2268	powershell.exe
1904	wupgrdsv.exe
1904	wupgrdsv.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

1560 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

taskmgr.exepowershell.exepowershell.exenotepad.exe

description	pid	process
Token: SeDebugPrivilege	1560	taskmgr.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeLockMemoryPrivilege	1332	notepad.exe
Token: SeLockMemoryPrivilege	1332	notepad.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exenotepad.exe

pid	process
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1332	notepad.exe
1332	notepad.exe
1332	notepad.exe
1332	notepad.exe
1332	notepad.exe
1332	notepad.exe
1332	notepad.exe
1332	notepad.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exenotepad.exe

pid	process
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1560	taskmgr.exe
1332	notepad.exe
1332	notepad.exe
1332	notepad.exe
1332	notepad.exe
1332	notepad.exe
1332	notepad.exe
1332	notepad.exe
1332	notepad.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

336488519.exesyslmgrsvc.exe2351722770.exe2640713896.exepowershell.exetaskeng.exepowershell.exewupgrdsv.exe

description	pid	process	target process
PID 2480 wrote to memory of 2580	2480	336488519.exe	syslmgrsvc.exe
PID 2480 wrote to memory of 2580	2480	336488519.exe	syslmgrsvc.exe
PID 2480 wrote to memory of 2580	2480	336488519.exe	syslmgrsvc.exe
PID 2480 wrote to memory of 2580	2480	336488519.exe	syslmgrsvc.exe
PID 2580 wrote to memory of 2448	2580	syslmgrsvc.exe	518427069.exe
PID 2580 wrote to memory of 2448	2580	syslmgrsvc.exe	518427069.exe
PID 2580 wrote to memory of 2448	2580	syslmgrsvc.exe	518427069.exe
PID 2580 wrote to memory of 2448	2580	syslmgrsvc.exe	518427069.exe
PID 2580 wrote to memory of 1364	2580	syslmgrsvc.exe	2351722770.exe
PID 2580 wrote to memory of 1364	2580	syslmgrsvc.exe	2351722770.exe
PID 2580 wrote to memory of 1364	2580	syslmgrsvc.exe	2351722770.exe
PID 2580 wrote to memory of 1364	2580	syslmgrsvc.exe	2351722770.exe
PID 1364 wrote to memory of 1680	1364	2351722770.exe	Windows Security Upgrade Service.exe
PID 1364 wrote to memory of 1680	1364	2351722770.exe	Windows Security Upgrade Service.exe
PID 1364 wrote to memory of 1680	1364	2351722770.exe	Windows Security Upgrade Service.exe
PID 1364 wrote to memory of 1680	1364	2351722770.exe	Windows Security Upgrade Service.exe
PID 2580 wrote to memory of 384	2580	syslmgrsvc.exe	2640713896.exe
PID 2580 wrote to memory of 384	2580	syslmgrsvc.exe	2640713896.exe
PID 2580 wrote to memory of 384	2580	syslmgrsvc.exe	2640713896.exe
PID 2580 wrote to memory of 384	2580	syslmgrsvc.exe	2640713896.exe
PID 384 wrote to memory of 1124	384	2640713896.exe	3409239910.exe
PID 384 wrote to memory of 1124	384	2640713896.exe	3409239910.exe
PID 384 wrote to memory of 1124	384	2640713896.exe	3409239910.exe
PID 384 wrote to memory of 1124	384	2640713896.exe	3409239910.exe
PID 1364 wrote to memory of 1944	1364	2351722770.exe	Windows Security Upgrade Service.exe
PID 1364 wrote to memory of 1944	1364	2351722770.exe	Windows Security Upgrade Service.exe
PID 1364 wrote to memory of 1944	1364	2351722770.exe	Windows Security Upgrade Service.exe
PID 1364 wrote to memory of 1944	1364	2351722770.exe	Windows Security Upgrade Service.exe
PID 1624 wrote to memory of 1896	1624	powershell.exe	schtasks.exe
PID 1624 wrote to memory of 1896	1624	powershell.exe	schtasks.exe
PID 1624 wrote to memory of 1896	1624	powershell.exe	schtasks.exe
PID 1296 wrote to memory of 1904	1296	taskeng.exe	wupgrdsv.exe
PID 1296 wrote to memory of 1904	1296	taskeng.exe	wupgrdsv.exe
PID 1296 wrote to memory of 1904	1296	taskeng.exe	wupgrdsv.exe
PID 2268 wrote to memory of 1976	2268	powershell.exe	schtasks.exe
PID 2268 wrote to memory of 1976	2268	powershell.exe	schtasks.exe
PID 2268 wrote to memory of 1976	2268	powershell.exe	schtasks.exe
PID 1904 wrote to memory of 1332	1904	wupgrdsv.exe	notepad.exe
PID 1364 wrote to memory of 2928	1364	2351722770.exe	Windows Security Upgrade Service.exe
PID 1364 wrote to memory of 2928	1364	2351722770.exe	Windows Security Upgrade Service.exe
PID 1364 wrote to memory of 2928	1364	2351722770.exe	Windows Security Upgrade Service.exe
PID 1364 wrote to memory of 2928	1364	2351722770.exe	Windows Security Upgrade Service.exe
PID 2580 wrote to memory of 1020	2580	syslmgrsvc.exe	2081528148.exe
PID 2580 wrote to memory of 1020	2580	syslmgrsvc.exe	2081528148.exe
PID 2580 wrote to memory of 1020	2580	syslmgrsvc.exe	2081528148.exe
PID 2580 wrote to memory of 1020	2580	syslmgrsvc.exe	2081528148.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\336488519.exe
"C:\Users\Admin\AppData\Local\Temp\336488519.exe"
2⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\syslmgrsvc.exe
C:\Windows\syslmgrsvc.exe
3⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:2580

C:\Users\Admin\AppData\Local\Temp\518427069.exe
C:\Users\Admin\AppData\Local\Temp\518427069.exe
4⤵
- Executes dropped EXE
PID:2448

C:\Users\Admin\AppData\Local\Temp\2351722770.exe
C:\Users\Admin\AppData\Local\Temp\2351722770.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1364

C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"
5⤵
- Executes dropped EXE
PID:1680

C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"
5⤵
- Executes dropped EXE
PID:1944

C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"
5⤵
- Executes dropped EXE
PID:2928

C:\Users\Admin\AppData\Local\Temp\2640713896.exe
C:\Users\Admin\AppData\Local\Temp\2640713896.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:384

C:\Users\Admin\AppData\Local\Temp\3409239910.exe
C:\Users\Admin\AppData\Local\Temp\3409239910.exe
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1124

C:\Users\Admin\AppData\Local\Temp\2081528148.exe
C:\Users\Admin\AppData\Local\Temp\2081528148.exe
4⤵
- Executes dropped EXE
PID:1020

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"
3⤵
- Creates scheduled task(s)
PID:1896

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
2⤵
PID:1216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Windows Upgrade Manager" /tr "'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe'"
3⤵
- Creates scheduled task(s)
PID:1976

C:\Windows\System32\notepad.exe
C:\Windows\System32\notepad.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1332

C:\Windows\system32\taskeng.exe
taskeng.exe {50272B9C-3C44-46ED-8DC5-D551F8FD4E65} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296

C:\Users\Admin\Windows Upgrade\wupgrdsv.exe
"C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1687828117.exe
Filesize
80KB

MD5
2ff2bb06682812eeb76628bfbe817fbb

SHA1
18e86614d0f4904e1fe97198ccda34b25aab7dae

SHA256
985da56fb594bf65d8bb993e8e37cd6e78535da6c834945068040faf67e91e7d

SHA512
5cd3b5a1e16202893b08c0ae70d3bcd9e7a49197ebf1ded08e01395202022b3b6c2d8837196ef0415fea6497d928b44e03544b934f8e062ddbb6c6f79fb6f440

Download Submit
C:\Users\Admin\AppData\Local\Temp\2081528148.exe
Filesize
11KB

MD5
cafd277c4132f5d0f202e7ea07a27d5c

SHA1
72c8c16a94cce56a3e01d91bc1276dafc65b351d

SHA256
e5162fa594811f0f01fc76f4acbd9fe99b2265df9cfcbc346023f28775c19f1e

SHA512
7c87d1dec61b78e0f223e8f9fec019d96509813fa6d96129289aab00b2d6f05bf91fe1fafd680b7d9e746f4c2c8cbe48a3028bcaad479048d00d79a19f71b196

Download Submit
C:\Users\Admin\AppData\Local\Temp\3409239910.exe
Filesize
5.4MB

MD5
41ab08c1955fce44bfd0c76a64d1945a

SHA1
2b9cb05f4de5d98c541d15175d7f0199cbdd0eea

SHA256
dd12cb27b3867341bf6ca48715756500d3ec56c19b21bb1c1290806aa74cb493

SHA512
38834ae703a8541b4fec9a1db94cfe296ead58649bb1d4873b517df14d0c6a9d25e49ff04c2bf6bb0188845116a4e894aae930d849f9be8c98d2ce51da1ef116

Download Submit
C:\Users\Admin\AppData\Local\Temp\901214061.exe
Filesize
86KB

MD5
fe1e93f12cca3f7c0c897ef2084e1778

SHA1
fb588491ddad8b24ea555a6a2727e76cec1fade3

SHA256
2ebc4a92f4fdc27d4ab56e57058575a8b18adb076cbd30feea2ecdc8b7fcd41f

SHA512
36e0524c465187ae9ad207c724aee45bcd61cfd3fa66a79f9434d24fcbadc0a743834d5e808e6041f3bd88e75deb5afd34193574f005ed97e4b17c6b0388cb93

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
68f1bd5a929d28f0f73b696e54dc846b

SHA1
11228d046257ac20f19e678ec0f7e893b5b31cff

SHA256
29d796494f581bd2c38c947492d3cbb5040ab61b52a7c3b8c2997601041fd76a

SHA512
83a12e5cb4c9df3dddd8aac2b6e9908f787bf81554461b567d569cfe352c78916cd39a7783e75dd43a172f513863cf956a6cb2bd67c2de4e8a952006b6216d53

Download Submit
C:\Users\Admin\tbtnds.dat
Filesize
4KB

MD5
330086c407958b0a0e8ff14aea1c58d5

SHA1
9b2623bac981a60780fd6dfc76e220d6df946bac

SHA256
295480d5d31c501dfaa88d0a2a1c5872821ac1e6e103abd5a3def21ea0b17191

SHA512
13fa7cbb5974b640fa6af10571beed68d96d263a63bbfc29ff1e442968b4205526fd60e886322b1dc2951a836ac0d04d1cf9c6cdc8d2aeb7f6f607980df8982f

Download Submit
C:\Windows\syslmgrsvc.exe
Filesize
93KB

MD5
a318cc45e79498b93e40d5e5b9b76be4

SHA1
4ebc9969cc3c330741c377e22a5fb0cdb8ce5fd5

SHA256
4b4e596641d0dd9eece8a24556fd1246056cbc315a79675a7400927858bbd7c2

SHA512
3131d627837a3cafdf532173ccadd4beff933ee3d5e050366153434b1394c4d57056b4d273ddb826a1a0478caa83e1f6e095e83366102ae1d3705ab2d3ec0e2c

Download Submit
\Users\Admin\AppData\Local\Temp\2351722770.exe
Filesize
10KB

MD5
47340d40e7f73e62cf09ac60fd16ad68

SHA1
effd38f6561155802d3e5090f5714589eae5ce6e

SHA256
e8a0c46342abd882318dbfdb17b7d3cb93d7138564878a15c5b91229ed81689c

SHA512
2d5fbacad67eba3c42c2be95c3bf64d787d15cf96d5afe827d6f9bdb175295859e684202ff5afc773202f4b9d0b3135e913c997bbe72026cd7a7ca96ecf5aa08

Download Submit
\Users\Admin\AppData\Local\Temp\2640713896.exe
Filesize
10KB

MD5
c8cf446ead193a3807472fbd294c5f23

SHA1
2162f28c919222f75ce5f52e4bb1155255ae5368

SHA256
e5d12658a690c62af7d4fc7b26735affc7210e3bfb6b2241de1bf90aebdc0717

SHA512
fc94014fabf204ecd57990db4b05b81cbda0a314b621cbfa755296ddf5493ec55fb129d12eff5f92863d9f1d7fea679dc2aeb62baf898791448cb4fe34b595c1

Download Submit
\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe
Filesize
20KB

MD5
de36bc2bfc3c67820ebd75c912fadc3d

SHA1
38bd51e1052ae5bede5293827e87d6f494b204c8

SHA256
2a5083d6e55f5cb56764fc4ed7ad082a0ef75a908ed03132178cc80f802c3d16

SHA512
efbc8a797e95f00c142c4c02c2f3faf4f46fabcdcd1a99d81df7581244a22f0b81f846d15de3b5f4b6d323deff555fd569db57aff3171ffebf27c03e4d53e6ef

Download Submit
memory/1124-77-0x000000013F710000-0x000000013FC86000-memory.dmp

Filesize
5.5MB

Download
memory/1332-91-0x00000000000C0000-0x00000000000E0000-memory.dmp

Filesize
128KB

Download
memory/1332-101-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1332-122-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1332-121-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1332-119-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1332-96-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1332-97-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1332-98-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1332-100-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1332-104-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1332-102-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1332-103-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1560-25-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1560-24-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1624-73-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/1624-74-0x0000000001E30000-0x0000000001E38000-memory.dmp

Filesize
32KB

Download
memory/1904-90-0x000000013F940000-0x000000013FEB6000-memory.dmp

Filesize
5.5MB

Download
memory/2268-86-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2268-87-0x0000000001EA0000-0x0000000001EA8000-memory.dmp

Filesize
32KB

Download