xmrig | 7022aee75dbf84ea8b3050fcee637f6f87232dfab7cb7cbd5f5a2062d749c07c

Analysis

max time kernel
121s
max time network
150s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01-08-2024 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xbox.exe
Size

19.0MB
MD5

30880523d777f4fe75ca515c0d6df32b
SHA1

73629571c0c7f6bfae8422ff44d79b48e2e13d1f
SHA256

7022aee75dbf84ea8b3050fcee637f6f87232dfab7cb7cbd5f5a2062d749c07c
SHA512

1276a39236434cb7fc4903f2b75f1f6dceb1522aba70ff2babf70bae7088caeb5463f6f405e8bac51f2b1378c12291828dfa0978aaf009821cf87385d9824f81
SSDEEP

196608:Yb61gbgwY5kuaC4FaXtBrlOMOpnLo213diio7eLi4iUK+cTwfnrUzhjzO5quL971:Yo487OsOcTwfOa5L93edRaF/

Score

10^/10

xmrig xworm discovery evasion execution miner persistence rat trojan upx

Malware Config

Extracted

Family

xworm

expected-schema.gl.at.ply.gg:2980

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/1884-24-0x0000000000380000-0x0000000000398000-memory.dmp	family_xworm
behavioral1/memory/2992-75-0x00000000011F0000-0x00000000011FA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral1/memory/1728-94-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1728-96-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1728-98-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1728-97-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1728-95-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1728-92-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1728-91-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1728-105-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1728-106-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1728-112-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1728-113-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1728-111-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2408	powershell.exe
1320	powershell.exe
2360	powershell.exe
2924	powershell.exe
2932	powershell.exe
2404	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	flux.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	flux.exe

Executes dropped EXE 6 IoCs

pid	Process
2264	build.exe
1884	flux.exe
2992	XboxInstaller.exe
480	Process not Found
1524	gaexyjbdzroy.exe
2448	XClient.exe

Loads dropped DLL 4 IoCs

pid	Process
1656	Xbox.exe
1656	Xbox.exe
1884	flux.exe
480	Process not Found

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1728-86-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1728-94-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1728-96-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1728-98-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1728-97-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1728-95-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1728-92-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1728-90-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1728-89-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1728-88-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1728-91-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1728-87-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1728-105-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1728-106-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1728-112-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1728-113-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1728-111-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	flux.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	XboxInstaller.exe
File opened (read-only)	\??\O:	XboxInstaller.exe
File opened (read-only)	\??\Q:	XboxInstaller.exe
File opened (read-only)	\??\V:	XboxInstaller.exe
File opened (read-only)	\??\N:	XboxInstaller.exe
File opened (read-only)	\??\P:	XboxInstaller.exe
File opened (read-only)	\??\S:	XboxInstaller.exe
File opened (read-only)	\??\W:	XboxInstaller.exe
File opened (read-only)	\??\H:	XboxInstaller.exe
File opened (read-only)	\??\I:	XboxInstaller.exe
File opened (read-only)	\??\J:	XboxInstaller.exe
File opened (read-only)	\??\M:	XboxInstaller.exe
File opened (read-only)	\??\X:	XboxInstaller.exe
File opened (read-only)	\??\Z:	XboxInstaller.exe
File opened (read-only)	\??\A:	XboxInstaller.exe
File opened (read-only)	\??\B:	XboxInstaller.exe
File opened (read-only)	\??\K:	XboxInstaller.exe
File opened (read-only)	\??\T:	XboxInstaller.exe
File opened (read-only)	\??\Y:	XboxInstaller.exe
File opened (read-only)	\??\E:	XboxInstaller.exe
File opened (read-only)	\??\L:	XboxInstaller.exe
File opened (read-only)	\??\R:	XboxInstaller.exe
File opened (read-only)	\??\U:	XboxInstaller.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3052	powercfg.exe
2996	powercfg.exe
2592	powercfg.exe
2148	powercfg.exe
2804	powercfg.exe
2104	powercfg.exe
3056	powercfg.exe
1904	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	gaexyjbdzroy.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	build.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1524 set thread context of 2980	1524	gaexyjbdzroy.exe	96
PID 1524 set thread context of 1728	1524	gaexyjbdzroy.exe	101

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2916	sc.exe
1012	sc.exe
2400	sc.exe
2984	sc.exe
2324	sc.exe
2716	sc.exe
328	sc.exe
2364	sc.exe
1044	sc.exe
2736	sc.exe
1712	sc.exe
836	sc.exe
2576	sc.exe
2352	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XboxInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 20ccc88a54e4da01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1320	powershell.exe
2360	powershell.exe
2924	powershell.exe
2932	powershell.exe
1884	flux.exe
2264	build.exe
2404	powershell.exe
2264	build.exe
2264	build.exe
2264	build.exe
2264	build.exe
2264	build.exe
2264	build.exe
2264	build.exe
2264	build.exe
2264	build.exe
2264	build.exe
2264	build.exe
2264	build.exe
2264	build.exe
2264	build.exe
1524	gaexyjbdzroy.exe
2408	powershell.exe
1524	gaexyjbdzroy.exe
1524	gaexyjbdzroy.exe
1524	gaexyjbdzroy.exe
1524	gaexyjbdzroy.exe
1524	gaexyjbdzroy.exe
1524	gaexyjbdzroy.exe
1524	gaexyjbdzroy.exe
1524	gaexyjbdzroy.exe
1524	gaexyjbdzroy.exe
1524	gaexyjbdzroy.exe
1524	gaexyjbdzroy.exe
1524	gaexyjbdzroy.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe
1728	explorer.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	1884	flux.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	1884	flux.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeShutdownPrivilege	1904	powercfg.exe
Token: SeShutdownPrivilege	3056	powercfg.exe
Token: SeShutdownPrivilege	3052	powercfg.exe
Token: SeShutdownPrivilege	2996	powercfg.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeShutdownPrivilege	2592	powercfg.exe
Token: SeShutdownPrivilege	2104	powercfg.exe
Token: SeShutdownPrivilege	2148	powercfg.exe
Token: SeShutdownPrivilege	2804	powercfg.exe
Token: SeLockMemoryPrivilege	1728	explorer.exe
Token: SeDebugPrivilege	2448	XClient.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1884	flux.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2264	1656	Xbox.exe	31
PID 1656 wrote to memory of 2264	1656	Xbox.exe	31
PID 1656 wrote to memory of 2264	1656	Xbox.exe	31
PID 1656 wrote to memory of 1884	1656	Xbox.exe	32
PID 1656 wrote to memory of 1884	1656	Xbox.exe	32
PID 1656 wrote to memory of 1884	1656	Xbox.exe	32
PID 1656 wrote to memory of 1884	1656	Xbox.exe	32
PID 1656 wrote to memory of 2992	1656	Xbox.exe	33
PID 1656 wrote to memory of 2992	1656	Xbox.exe	33
PID 1656 wrote to memory of 2992	1656	Xbox.exe	33
PID 1656 wrote to memory of 2992	1656	Xbox.exe	33
PID 1656 wrote to memory of 2992	1656	Xbox.exe	33
PID 1656 wrote to memory of 2992	1656	Xbox.exe	33
PID 1656 wrote to memory of 2992	1656	Xbox.exe	33
PID 1884 wrote to memory of 1320	1884	flux.exe	35
PID 1884 wrote to memory of 1320	1884	flux.exe	35
PID 1884 wrote to memory of 1320	1884	flux.exe	35
PID 1884 wrote to memory of 1320	1884	flux.exe	35
PID 1884 wrote to memory of 2360	1884	flux.exe	37
PID 1884 wrote to memory of 2360	1884	flux.exe	37
PID 1884 wrote to memory of 2360	1884	flux.exe	37
PID 1884 wrote to memory of 2360	1884	flux.exe	37
PID 1884 wrote to memory of 2924	1884	flux.exe	39
PID 1884 wrote to memory of 2924	1884	flux.exe	39
PID 1884 wrote to memory of 2924	1884	flux.exe	39
PID 1884 wrote to memory of 2924	1884	flux.exe	39
PID 1884 wrote to memory of 2932	1884	flux.exe	41
PID 1884 wrote to memory of 2932	1884	flux.exe	41
PID 1884 wrote to memory of 2932	1884	flux.exe	41
PID 1884 wrote to memory of 2932	1884	flux.exe	41
PID 1884 wrote to memory of 808	1884	flux.exe	43
PID 1884 wrote to memory of 808	1884	flux.exe	43
PID 1884 wrote to memory of 808	1884	flux.exe	43
PID 1884 wrote to memory of 808	1884	flux.exe	43
PID 1020 wrote to memory of 1508	1020	cmd.exe	51
PID 1020 wrote to memory of 1508	1020	cmd.exe	51
PID 1020 wrote to memory of 1508	1020	cmd.exe	51
PID 2872 wrote to memory of 2376	2872	cmd.exe	83
PID 2872 wrote to memory of 2376	2872	cmd.exe	83
PID 2872 wrote to memory of 2376	2872	cmd.exe	83
PID 1524 wrote to memory of 2980	1524	gaexyjbdzroy.exe	96
PID 1524 wrote to memory of 2980	1524	gaexyjbdzroy.exe	96
PID 1524 wrote to memory of 2980	1524	gaexyjbdzroy.exe	96
PID 1524 wrote to memory of 2980	1524	gaexyjbdzroy.exe	96
PID 1524 wrote to memory of 2980	1524	gaexyjbdzroy.exe	96
PID 1524 wrote to memory of 2980	1524	gaexyjbdzroy.exe	96
PID 1524 wrote to memory of 2980	1524	gaexyjbdzroy.exe	96
PID 1524 wrote to memory of 2980	1524	gaexyjbdzroy.exe	96
PID 1524 wrote to memory of 2980	1524	gaexyjbdzroy.exe	96
PID 1524 wrote to memory of 1728	1524	gaexyjbdzroy.exe	101
PID 1524 wrote to memory of 1728	1524	gaexyjbdzroy.exe	101
PID 1524 wrote to memory of 1728	1524	gaexyjbdzroy.exe	101
PID 1524 wrote to memory of 1728	1524	gaexyjbdzroy.exe	101
PID 1524 wrote to memory of 1728	1524	gaexyjbdzroy.exe	101
PID 2532 wrote to memory of 2448	2532	taskeng.exe	103
PID 2532 wrote to memory of 2448	2532	taskeng.exe	103
PID 2532 wrote to memory of 2448	2532	taskeng.exe	103
PID 2532 wrote to memory of 2448	2532	taskeng.exe	103

C:\Users\Admin\AppData\Local\Temp\Xbox.exe
"C:\Users\Admin\AppData\Local\Temp\Xbox.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Users\Public\build.exe
  "C:\Users\Public\build.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2264
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1020
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:1508
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:836
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2364
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1044
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:328
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2984
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3056
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1904
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3052
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2996
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "LNETTCDY"
    3⤵
    - Launches sc.exe
    PID:2916
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "LNETTCDY" binpath= "C:\ProgramData\jqznuyxniafn\gaexyjbdzroy.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:1012
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:2324
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "LNETTCDY"
    3⤵
    - Launches sc.exe
    PID:2352
- C:\Users\Public\flux.exe
  "C:\Users\Public\flux.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\flux.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1320
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'flux.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2360
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2924
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2932
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:808
- C:\Users\Public\XboxInstaller.exe
  "C:\Users\Public\XboxInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:2992

C:\ProgramData\jqznuyxniafn\gaexyjbdzroy.exe
C:\ProgramData\jqznuyxniafn\gaexyjbdzroy.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:2376
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2716
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2400
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2736
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2576
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:1712
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2104
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2980
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1728

C:\Windows\system32\taskeng.exe
taskeng.exe {32E14AE9-DE1F-406A-8E47-FA4DF185EE19} S-1-5-21-3450744190-3404161390-554719085-1000:PDIZKVQX\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DB1VYBJ1CC2Q99YZ4IAS.temp

Filesize
7KB

MD5
491be91a58d5c4a0e5dd6efd070087e6

SHA1
73afa4f4f4712f900700b96519da93a88b6ac3ab

SHA256
88725d1e62ddc67d2d8b083cb0049a0bd0d077834a02ef6c1db7cf836a1b386b

SHA512
5d643aa2027872a7a2e6fece64c7e34590e6c1e8904cf0a5630ef5e19614ff34b373ee621883dafe42dc34fe6aa3996185a7fc560e55b6242d30829cb96f1b83

Download Submit
C:\Users\Public\XboxInstaller.exe

Filesize
13.4MB

MD5
33c9518c086d0cca4a636bc86728485e

SHA1
2420ad25e243ab8905b49f60fe7fb96590661f50

SHA256
ba30ea16cd8fbd9209d40ae193206ad00f042d100524cf310982c33369325ca2

SHA512
6c2c470607b88e7cd79411b7a645b395cee3306a23e6ba50b8ac57f7d5529a1b350c34e19da69aeb1ffade44d5187b4a1ef209a53d21a83e9e35add10fc7867d

Download Submit
C:\Users\Public\flux.exe

Filesize
554KB

MD5
153e795f536e7159e5a14ed836e31dc0

SHA1
6d1049b0f029e8c96fb612b048b71ee6f32c9398

SHA256
b3d902eb6101db0346fd033453d626b7c8e92be6264fd06609b486006d4f0310

SHA512
74567f0d8c02ab638c083e15806bfcfd38f219bb6c46c596f165ffbd1b05ef685d7ab3eff17c198dd4d42d4866f076e644aef282e10ec875db48dc35f6251a70

Download Submit
\Users\Public\build.exe

Filesize
5.1MB

MD5
e99a422a6e87545ae15e8184ea697809

SHA1
18c04b90aa66b23e87460ff9c91d732d5147872b

SHA256
4095beaf2970d2f15ff23e49a4c7bb8969c0a9e0bd5b034f6a442066c8e1ab92

SHA512
7f56e7b56a01f65f5f8e17c1dd9743c76136dee004b9e94cf544343e43fab4b5233f8405ec3909b5f01612e7399696dd5b66fad9ba361319fccf6457816a39dd

Download Submit
memory/1656-0-0x000007FEF6133000-0x000007FEF6134000-memory.dmp

Filesize
4KB

Download
memory/1656-1-0x0000000000EB0000-0x00000000021C0000-memory.dmp

Filesize
19.1MB

Download
memory/1728-98-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1728-95-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1728-111-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1728-113-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1728-112-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1728-88-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1728-106-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1728-105-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1728-97-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1728-90-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1728-92-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1728-96-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1728-94-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1728-93-0x0000000000130000-0x0000000000150000-memory.dmp

Filesize
128KB

Download
memory/1728-87-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1728-91-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1728-86-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1728-89-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1884-24-0x0000000000380000-0x0000000000398000-memory.dmp

Filesize
96KB

Download
memory/1884-61-0x00000000747BE000-0x00000000747BF000-memory.dmp

Filesize
4KB

Download
memory/1884-17-0x0000000000980000-0x0000000000A10000-memory.dmp

Filesize
576KB

Download
memory/1884-16-0x00000000747BE000-0x00000000747BF000-memory.dmp

Filesize
4KB

Download
memory/2332-116-0x00000000008A0000-0x0000000000930000-memory.dmp

Filesize
576KB

Download
memory/2404-67-0x0000000001D40000-0x0000000001D48000-memory.dmp

Filesize
32KB

Download
memory/2404-66-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2408-76-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

Filesize
32KB

Download
memory/2408-73-0x0000000019D70000-0x000000001A052000-memory.dmp

Filesize
2.9MB

Download
memory/2448-110-0x00000000003F0000-0x0000000000480000-memory.dmp

Filesize
576KB

Download
memory/2980-78-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2980-79-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2980-82-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2980-84-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2980-77-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2980-80-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2992-102-0x0000000002D80000-0x0000000002D8A000-memory.dmp

Filesize
40KB

Download
memory/2992-100-0x0000000002D80000-0x0000000002D8A000-memory.dmp

Filesize
40KB

Download
memory/2992-75-0x00000000011F0000-0x00000000011FA000-memory.dmp

Filesize
40KB

Download
memory/2992-104-0x0000000002D80000-0x0000000002D8A000-memory.dmp

Filesize
40KB

Download
memory/2992-103-0x0000000002D80000-0x0000000002D8A000-memory.dmp

Filesize
40KB

Download
memory/2992-74-0x00000000011F0000-0x00000000011FA000-memory.dmp

Filesize
40KB

Download
memory/2992-101-0x0000000002D80000-0x0000000002D8A000-memory.dmp

Filesize
40KB

Download
memory/2992-31-0x0000000002D80000-0x0000000002D8A000-memory.dmp

Filesize
40KB

Download
memory/2992-99-0x0000000002D80000-0x0000000002D8A000-memory.dmp

Filesize
40KB

Download
memory/2992-32-0x0000000002D80000-0x0000000002D8A000-memory.dmp

Filesize
40KB

Download
memory/2992-34-0x0000000002D80000-0x0000000002D8A000-memory.dmp

Filesize
40KB

Download
memory/2992-35-0x0000000002D80000-0x0000000002D8A000-memory.dmp

Filesize
40KB

Download
memory/2992-33-0x0000000002D80000-0x0000000002D8A000-memory.dmp

Filesize
40KB

Download
memory/2992-26-0x00000000011F0000-0x00000000011FA000-memory.dmp

Filesize
40KB

Download
memory/2992-27-0x00000000011F0000-0x00000000011FA000-memory.dmp

Filesize
40KB

Download
memory/2992-25-0x00000000003E0000-0x000000000114A000-memory.dmp

Filesize
13.4MB

Download