Analysis Overview
SHA256
b014f479c70d22623b1a3826e16d70abc750c9103c6597d623ab4183124130f3
Threat Level: Known bad
The file b014f479c70d22623b1a3826e16d70abc750c9103c6597d623ab4183124130f3 was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Phorphiex payload
Windows security bypass
Modifies security service
Xmrig family
Phorphiex, Phorpiex
xmrig
Phorphiex family
XMRig Miner payload
Stops running service(s)
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: PowerShell
Reads user/profile data of web browsers
Windows security modification
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Checks installed software on the system
Checks for any installed AV software in registry
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in System32 directory
Launches sc.exe
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Suspicious behavior: LoadsDriver
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-11 02:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 02:20
Reported
2024-11-11 02:22
Platform
win7-20241010-en
Max time kernel
151s
Max time network
153s
Command Line
Signatures
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\sysppvrdnvs.exe | N/A |
Phorphiex family
Phorphiex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Phorphiex, Phorpiex
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2060 created 1212 | N/A | C:\Users\Admin\AppData\Local\Temp\1138810692.exe | C:\Windows\Explorer.EXE |
| PID 2060 created 1212 | N/A | C:\Users\Admin\AppData\Local\Temp\1138810692.exe | C:\Windows\Explorer.EXE |
| PID 1208 created 1212 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
| PID 1208 created 1212 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
| PID 1208 created 1212 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9DC5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\322506526.exe | N/A |
| N/A | N/A | C:\Windows\sysppvrdnvs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\195881815.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\336425862.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2281617292.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1138810692.exe | N/A |
| N/A | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b014f479c70d22623b1a3826e16d70abc750c9103c6597d623ab4183124130f3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9DC5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9DC5.exe | N/A |
| N/A | N/A | C:\Windows\sysppvrdnvs.exe | N/A |
| N/A | N/A | C:\Windows\sysppvrdnvs.exe | N/A |
| N/A | N/A | C:\Windows\sysppvrdnvs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2281617292.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskeng.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysppvrdnvs.exe" | C:\Users\Admin\AppData\Local\Temp\322506526.exe | N/A |
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\Version | C:\Users\Admin\AppData\Local\Temp\b014f479c70d22623b1a3826e16d70abc750c9103c6597d623ab4183124130f3.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Avira | C:\Users\Admin\AppData\Local\Temp\b014f479c70d22623b1a3826e16d70abc750c9103c6597d623ab4183124130f3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Software\Wow6432Node\Avira | C:\Users\Admin\AppData\Local\Temp\b014f479c70d22623b1a3826e16d70abc750c9103c6597d623ab4183124130f3.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\AVAST Software\Avast | C:\Users\Admin\AppData\Local\Temp\b014f479c70d22623b1a3826e16d70abc750c9103c6597d623ab4183124130f3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast\Version | C:\Users\Admin\AppData\Local\Temp\b014f479c70d22623b1a3826e16d70abc750c9103c6597d623ab4183124130f3.exe | N/A |
Checks installed software on the system
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1208 set thread context of 2444 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\System32\conhost.exe |
| PID 1208 set thread context of 2856 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\System32\dwm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\sysppvrdnvs.exe | C:\Users\Admin\AppData\Local\Temp\322506526.exe | N/A |
| File opened for modification | C:\Windows\sysppvrdnvs.exe | C:\Users\Admin\AppData\Local\Temp\322506526.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b014f479c70d22623b1a3826e16d70abc750c9103c6597d623ab4183124130f3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\sysppvrdnvs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2281617292.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9DC5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\322506526.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Users\Admin\AppData\Local\Temp\b014f479c70d22623b1a3826e16d70abc750c9103c6597d623ab4183124130f3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Users\Admin\AppData\Local\Temp\b014f479c70d22623b1a3826e16d70abc750c9103c6597d623ab4183124130f3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\b014f479c70d22623b1a3826e16d70abc750c9103c6597d623ab4183124130f3.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\195881815.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\System32\dwm.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\System32\dwm.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b014f479c70d22623b1a3826e16d70abc750c9103c6597d623ab4183124130f3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b014f479c70d22623b1a3826e16d70abc750c9103c6597d623ab4183124130f3.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\b014f479c70d22623b1a3826e16d70abc750c9103c6597d623ab4183124130f3.exe
"C:\Users\Admin\AppData\Local\Temp\b014f479c70d22623b1a3826e16d70abc750c9103c6597d623ab4183124130f3.exe"
C:\Users\Admin\AppData\Local\Temp\9DC5.exe
"C:\Users\Admin\AppData\Local\Temp\9DC5.exe"
C:\Users\Admin\AppData\Local\Temp\322506526.exe
C:\Users\Admin\AppData\Local\Temp\322506526.exe
C:\Windows\sysppvrdnvs.exe
C:\Windows\sysppvrdnvs.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
C:\Windows\SysWOW64\sc.exe
sc stop UsoSvc
C:\Windows\SysWOW64\sc.exe
sc stop WaaSMedicSvc
C:\Windows\SysWOW64\sc.exe
sc stop wuauserv
C:\Windows\SysWOW64\sc.exe
sc stop DoSvc
C:\Windows\SysWOW64\sc.exe
sc stop BITS /wait
C:\Users\Admin\AppData\Local\Temp\195881815.exe
C:\Users\Admin\AppData\Local\Temp\195881815.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Users\Admin\AppData\Local\Temp\336425862.exe
C:\Users\Admin\AppData\Local\Temp\336425862.exe
C:\Users\Admin\AppData\Local\Temp\2281617292.exe
C:\Users\Admin\AppData\Local\Temp\2281617292.exe
C:\Users\Admin\AppData\Local\Temp\1138810692.exe
C:\Users\Admin\AppData\Local\Temp\1138810692.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
C:\Windows\system32\taskeng.exe
taskeng.exe {C633EC61-B87E-4348-AF78-220E6D84D196} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\dwm.exe
C:\Windows\System32\dwm.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| N/A | 127.0.0.1:49248 | tcp | |
| US | 8.8.8.8:53 | mediaget.com | udp |
| NL | 51.158.129.110:443 | mediaget.com | tcp |
| N/A | 127.0.0.1:49253 | tcp | |
| NL | 51.158.129.110:443 | mediaget.com | tcp |
| NL | 51.158.129.110:443 | mediaget.com | tcp |
| US | 8.8.8.8:53 | twizt.net | udp |
| N/A | 127.0.0.1:49257 | tcp | |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.109.209.108:80 | www.update.microsoft.com | tcp |
| YE | 188.209.231.152:40500 | udp | |
| IR | 5.238.77.37:40500 | tcp | |
| US | 8.8.8.8:53 | twizthash.net | udp |
| RU | 185.215.113.66:5152 | twizthash.net | tcp |
| UZ | 84.54.71.94:40500 | udp | |
| IR | 109.74.232.109:40500 | udp | |
| US | 198.163.193.242:40500 | udp | |
| UZ | 93.188.86.40:40500 | udp | |
| KZ | 5.251.96.99:40500 | udp | |
| UZ | 90.156.160.66:40500 | tcp | |
| TM | 91.202.233.141:80 | 91.202.233.141 | tcp |
| IR | 5.219.80.213:40500 | udp | |
| KZ | 89.218.218.206:40500 | udp | |
| RU | 2.63.29.22:40500 | udp | |
| RU | 45.150.25.234:40500 | udp | |
| US | 198.163.207.160:40500 | udp | |
| UZ | 213.230.126.39:40500 | tcp | |
| YE | 134.35.47.47:40500 | udp | |
| KZ | 178.90.49.209:40500 | udp | |
| IR | 5.219.167.24:40500 | udp | |
| UZ | 213.230.99.119:40500 | udp | |
| UZ | 90.156.162.40:40500 | tcp | |
| IR | 195.181.60.156:40500 | udp | |
| KZ | 2.134.48.237:40500 | udp | |
| TJ | 185.177.0.183:40500 | udp |
Files
\Users\Admin\AppData\Local\Temp\9DC5.exe
| MD5 | 8d8e6c7952a9dc7c0c73911c4dbc5518 |
| SHA1 | 9098da03b33b2c822065b49d5220359c275d5e94 |
| SHA256 | feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278 |
| SHA512 | 91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645 |
memory/1628-8-0x0000000002C30000-0x0000000002C31000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mediaget-installer-tmp\preloader.html
| MD5 | a9c237c6645d55240cdda002fef26737 |
| SHA1 | 8a7f5c4cf2fd1c924dd1ec754b1b4c5f65bdda80 |
| SHA256 | 0271d97e4e245364c5c52e66d95baf24b3e00c1c8ea6e2b0da59291115cb6087 |
| SHA512 | 480f28bffb5cb96eaf89f601fbf2de03fc5db04f579108b60de1e5be36ede324fc924f624bc29b42747e96f173a860a6fdbaf6da271b6bffb5b7906d11065555 |
C:\Users\Admin\AppData\Local\Temp\mediaget-installer-tmp\Montserrat-Regular.eot
| MD5 | 2dd0a1de870af34d48d43b7cad82b8d9 |
| SHA1 | 440f4f1fdf17a5c8b426ac6bd4535b8fe5258c7e |
| SHA256 | 057bc6c47c47aaccdf31adc48a6b401f6090a02c28e354099eff80907dc2af32 |
| SHA512 | 83df193ab984037b940876bf6371020b4bb13af74e988abb8ad6a30d48ab6cd9dc5c08937e58abab93278cc85c9d79c373688b2c51c035fdeffed639c933e8ff |
C:\Users\Admin\AppData\Local\Temp\mediaget-installer-tmp\img2\page-wait.png
| MD5 | a8210694c45753a7a027296ef745e316 |
| SHA1 | f19dd027d91836de8a1cac5410f906dcdf853fdb |
| SHA256 | 14de6662062adc45202e2021aa4d60e98637dc892a22acb2c7cc16da3344c14d |
| SHA512 | 4b4d3d4f0c5df9375c6661cbe57440bfd264707610a27806b1bfa6025b72260b2b16e6a84b851bca48a528d86b2ca510cd76f00db11c713e6c26eaeace813d4d |
C:\Users\Admin\AppData\Local\Temp\mediaget-installer-tmp\translations.json
| MD5 | a1d597ef7be818c9fa9daa8f18ebf125 |
| SHA1 | 8108290387bfb433c6867d6f29b28f68b6f803c6 |
| SHA256 | b451d4eb04fbf6ea5a92b2d6d1b911c66ef98b7a438fbc3de867c3e91ba86c7a |
| SHA512 | 4b7f09b47d182ea45f8ef50dc77e24a9c4e036f15728c11409651d4513a16e8db06f99a8132a363dc0e6870563f1d419c6e8f692ef6d08eaf340401cccc11123 |
C:\Users\Admin\AppData\Local\Temp\mediaget-installer-tmp\index.html
| MD5 | 9a0a4e3f381ffdeb893fb3ba74bf63c9 |
| SHA1 | 746201ef390ebfd8c9f5e7ac46d9d4716eb8d204 |
| SHA256 | 1e60860fa9a568a50ee835ad17b77dc31ce9e7bb9f6185c442a227c5298ef09d |
| SHA512 | 0f6f04f040337fab978ce06218fee0a02a009eba6e7a585cd6c39fe46364c333df7962c8ab1a094e11ee67ef500e8f6f93c9fad71d2d5444b1d4798385cb9763 |
C:\Users\Admin\AppData\Local\Temp\mediaget-installer-tmp\js\jquery.min.1.6.4.js
| MD5 | ea75b2a8f1b4241a872b1cbddbaed154 |
| SHA1 | 18678dd78c1f5a3525127b442bc70375faf09c16 |
| SHA256 | 4a62927a380e201c4ee51321dcc1e6b1f7dfbf82049cf349df990629e01e9178 |
| SHA512 | dc69cd4703dcba3c8f4a52058c44a34fa7c0b6096bed20f30ce3dab872461eb6dda9d0d381137b9cb022219ad92ca7f5f25d3964ed33d5f41e9fc05efa5330fd |
C:\Users\Admin\AppData\Local\Temp\mediaget-installer-tmp\js\jquery-ui.min.1.8.0.js
| MD5 | a4fdd77e182bd2fabe300a47b5617a35 |
| SHA1 | e002b335c75b5edefcd251962f61f53a2ab8e0f2 |
| SHA256 | 8b59592d67eadc703af6cdd5ba8d077f9f9485d01fb6405555614335f89be99b |
| SHA512 | ddcccde1c129f8f71fb39685abc615c4202b8b3dfc12cedd7d9cca2f97b308fc14b64497826421fa9df3d1cf54bdae9c085051af0a8d393cd3d556a6578d4085 |
C:\Users\Admin\AppData\Local\Temp\mediaget-installer-tmp\Montserrat-Bold.eot
| MD5 | 0f722e725ac50271f9d6db477e8c0d17 |
| SHA1 | d34259cfe05b2ba9c9e5256a3ce513d4bc5afbe8 |
| SHA256 | 7615a4bb88a5680cfead49c1774013ce48c4c7343cb82d7585f7935c705400b0 |
| SHA512 | 9a58e7d1537f28f19dc6e63b36d422748d851b68a8b3eedf69f531d502d9163e41f4d9cc9d782fd6fc70fab269f04dc9907422bd80f5dd265edcc0ae6bddc77a |
C:\Users\Admin\AppData\Local\Temp\mediaget-installer-tmp\Roboto-Regular.eot
| MD5 | b9077621ce786b55c176a61456bfc077 |
| SHA1 | 5f164e1bc0b6573bac876e38ca1bb2e60ff0627e |
| SHA256 | 6cedf381d59fa4caabfb836e9a3720420645cbcea32491a5ac5f07cf274ceac6 |
| SHA512 | b1f2c599804a2d0ac51d3adfe7b2d0a21c5fa1e3d8d83d932f42d30bfd26aad5972d96555097a60f8fdc4d34ed24bad2876a89cf0b27b8cd01c72c0ba8f4d02a |
\Users\Admin\AppData\Local\Temp\322506526.exe
| MD5 | 06560b5e92d704395bc6dae58bc7e794 |
| SHA1 | fbd3e4ae28620197d1f02bfc24adaf4ddacd2372 |
| SHA256 | 9eaaadf3857e4a3e83f4f78d96ab185213b6528c8e470807f9d16035daadf33d |
| SHA512 | b55b49fc1bd526c47d88fcf8a20fcaed900bfb291f2e3e1186ec196a87127ed24df71385ae04fedcc802c362c4ebf38edfc182013febf4496ddeb66ce5195ee3 |
memory/1628-259-0x0000000002C30000-0x0000000002C31000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8P9TO0C6\1[1]
| MD5 | 1fcb78fb6cf9720e9d9494c42142d885 |
| SHA1 | fef9c2e728ab9d56ce9ed28934b3182b6f1d5379 |
| SHA256 | 84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02 |
| SHA512 | cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3 |
\Users\Admin\AppData\Local\Temp\195881815.exe
| MD5 | cb8420e681f68db1bad5ed24e7b22114 |
| SHA1 | 416fc65d538d3622f5ca71c667a11df88a927c31 |
| SHA256 | 5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea |
| SHA512 | baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf |
memory/2984-286-0x000000013FEA0000-0x000000013FEA6000-memory.dmp
\Users\Admin\AppData\Local\Temp\336425862.exe
| MD5 | 0c37ee292fec32dba0420e6c94224e28 |
| SHA1 | 012cbdddaddab319a4b3ae2968b42950e929c46b |
| SHA256 | 981d724feebc36777e99513dc061d1f009e589f965c920797285c46d863060d1 |
| SHA512 | 2b60b571c55d0441ba0cfc695f9db5cd12660ebec7effc7e893c3b7a1c6cb6149df487c31b8d748697e260cbc4af29331592b705ea9638f64a711c7a6164628b |
\Users\Admin\AppData\Local\Temp\2281617292.exe
| MD5 | 96509ab828867d81c1693b614b22f41d |
| SHA1 | c5f82005dbda43cedd86708cc5fc3635a781a67e |
| SHA256 | a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744 |
| SHA512 | ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca |
\Users\Admin\AppData\Local\Temp\1138810692.exe
| MD5 | 13b26b2c7048a92d6a843c1302618fad |
| SHA1 | 89c2dfc01ac12ef2704c7669844ec69f1700c1ca |
| SHA256 | 1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256 |
| SHA512 | d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455 |
memory/2436-316-0x000000001B290000-0x000000001B572000-memory.dmp
memory/2436-317-0x0000000002250000-0x0000000002258000-memory.dmp
memory/2060-320-0x000000013FE90000-0x0000000140427000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 18b13ab1ead31fed8a3b8500b5ccedab |
| SHA1 | 48c32ab10f719586bb3c1e66c7dd685399ab31c7 |
| SHA256 | 9dbd853ea25fc6ca57ea849459b6b1d9eb31d501acc675aee07bd3d6572c94e8 |
| SHA512 | a647b341e7fa6f38daf99224eed3be587be0cbcfba9ce1144c2cac48337c4b23518afe0788a82a6a1c15cc7eeccb2b881eef6f1dde8060a534b12eff02e36fdd |
memory/2544-330-0x000000001B260000-0x000000001B542000-memory.dmp
memory/2544-331-0x00000000022D0000-0x00000000022D8000-memory.dmp
memory/2856-337-0x00000000000B0000-0x00000000000D0000-memory.dmp
memory/1208-336-0x000000013F430000-0x000000013F9C7000-memory.dmp
memory/2444-338-0x0000000140000000-0x0000000140029000-memory.dmp
memory/2856-339-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/2444-340-0x0000000140000000-0x0000000140029000-memory.dmp
memory/2856-341-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/2856-349-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/2856-351-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/2856-353-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/2856-356-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/2856-358-0x0000000140000000-0x00000001407EF000-memory.dmp
memory/2856-360-0x0000000140000000-0x00000001407EF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 02:20
Reported
2024-11-11 02:22
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\sysppvrdnvs.exe | N/A |
Phorphiex family
Phorphiex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Phorphiex, Phorpiex
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1160 created 3548 | N/A | C:\Users\Admin\AppData\Local\Temp\2310911154.exe | C:\Windows\Explorer.EXE |
| PID 1160 created 3548 | N/A | C:\Users\Admin\AppData\Local\Temp\2310911154.exe | C:\Windows\Explorer.EXE |
| PID 4276 created 3548 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
| PID 4276 created 3548 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
| PID 4276 created 3548 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\Explorer.EXE |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Windows\sysppvrdnvs.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\412432786.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A23B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\127219754.exe | N/A |
| N/A | N/A | C:\Windows\sysppvrdnvs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\412432786.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2142223847.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2512715163.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2310911154.exe | N/A |
| N/A | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\sysppvrdnvs.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysppvrdnvs.exe" | C:\Users\Admin\AppData\Local\Temp\127219754.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4276 set thread context of 4032 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\System32\conhost.exe |
| PID 4276 set thread context of 3208 | N/A | C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe | C:\Windows\System32\dwm.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\sysppvrdnvs.exe | C:\Users\Admin\AppData\Local\Temp\127219754.exe | N/A |
| File opened for modification | C:\Windows\sysppvrdnvs.exe | C:\Users\Admin\AppData\Local\Temp\127219754.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\127219754.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2512715163.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\A23B.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2142223847.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b014f479c70d22623b1a3826e16d70abc750c9103c6597d623ab4183124130f3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\sysppvrdnvs.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Users\Admin\AppData\Local\Temp\b014f479c70d22623b1a3826e16d70abc750c9103c6597d623ab4183124130f3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Users\Admin\AppData\Local\Temp\b014f479c70d22623b1a3826e16d70abc750c9103c6597d623ab4183124130f3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Users\Admin\AppData\Local\Temp\b014f479c70d22623b1a3826e16d70abc750c9103c6597d623ab4183124130f3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Users\Admin\AppData\Local\Temp\b014f479c70d22623b1a3826e16d70abc750c9103c6597d623ab4183124130f3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b014f479c70d22623b1a3826e16d70abc750c9103c6597d623ab4183124130f3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b014f479c70d22623b1a3826e16d70abc750c9103c6597d623ab4183124130f3.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\b014f479c70d22623b1a3826e16d70abc750c9103c6597d623ab4183124130f3.exe
"C:\Users\Admin\AppData\Local\Temp\b014f479c70d22623b1a3826e16d70abc750c9103c6597d623ab4183124130f3.exe"
C:\Users\Admin\AppData\Local\Temp\A23B.exe
"C:\Users\Admin\AppData\Local\Temp\A23B.exe"
C:\Users\Admin\AppData\Local\Temp\127219754.exe
C:\Users\Admin\AppData\Local\Temp\127219754.exe
C:\Windows\sysppvrdnvs.exe
C:\Windows\sysppvrdnvs.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
C:\Windows\SysWOW64\sc.exe
sc stop UsoSvc
C:\Windows\SysWOW64\sc.exe
sc stop WaaSMedicSvc
C:\Windows\SysWOW64\sc.exe
sc stop wuauserv
C:\Windows\SysWOW64\sc.exe
sc stop DoSvc
C:\Windows\SysWOW64\sc.exe
sc stop BITS /wait
C:\Users\Admin\AppData\Local\Temp\412432786.exe
C:\Users\Admin\AppData\Local\Temp\412432786.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
C:\Windows\system32\schtasks.exe
schtasks /delete /f /tn "Windows Upgrade Manager"
C:\Users\Admin\AppData\Local\Temp\2142223847.exe
C:\Users\Admin\AppData\Local\Temp\2142223847.exe
C:\Users\Admin\AppData\Local\Temp\2512715163.exe
C:\Users\Admin\AppData\Local\Temp\2512715163.exe
C:\Users\Admin\AppData\Local\Temp\2310911154.exe
C:\Users\Admin\AppData\Local\Temp\2310911154.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\dwm.exe
C:\Windows\System32\dwm.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.66:80 | 185.215.113.66 | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | twizt.net | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 20.72.235.82:80 | www.update.microsoft.com | tcp |
| US | 8.8.8.8:53 | 82.235.72.20.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| IR | 37.254.242.74:40500 | udp | |
| US | 198.163.198.59:40500 | tcp | |
| US | 8.8.8.8:53 | 74.242.254.37.in-addr.arpa | udp |
| RU | 185.215.113.84:80 | 185.215.113.84 | tcp |
| US | 198.163.193.10:40500 | udp | |
| US | 8.8.8.8:53 | 84.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.193.163.198.in-addr.arpa | udp |
| RU | 185.215.113.66:80 | twizt.net | tcp |
| UZ | 213.230.99.184:40500 | udp | |
| US | 8.8.8.8:53 | 184.99.230.213.in-addr.arpa | udp |
| KZ | 95.59.165.102:40500 | udp | |
| US | 8.8.8.8:53 | 102.165.59.95.in-addr.arpa | udp |
| UZ | 195.158.21.74:40500 | udp | |
| US | 8.8.8.8:53 | 74.21.158.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | twizthash.net | udp |
| RU | 185.215.113.66:5152 | twizthash.net | tcp |
| US | 198.163.193.96:40500 | tcp | |
| KZ | 92.47.143.122:40500 | udp | |
| US | 8.8.8.8:53 | 122.143.47.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| UZ | 90.156.161.119:40500 | udp | |
| US | 8.8.8.8:53 | 119.161.156.90.in-addr.arpa | udp |
| KZ | 84.240.242.246:40500 | udp | |
| US | 8.8.8.8:53 | 246.242.240.84.in-addr.arpa | udp |
| AF | 175.106.46.94:40500 | udp | |
| US | 8.8.8.8:53 | 94.46.106.175.in-addr.arpa | udp |
| UZ | 90.156.162.79:40500 | tcp | |
| KZ | 2.135.21.142:40500 | udp | |
| US | 8.8.8.8:53 | 142.21.135.2.in-addr.arpa | udp |
| KZ | 37.151.73.50:40500 | udp | |
| US | 8.8.8.8:53 | 50.73.151.37.in-addr.arpa | udp |
| TM | 91.202.233.141:80 | 91.202.233.141 | tcp |
| UZ | 94.230.236.36:40500 | udp | |
| US | 8.8.8.8:53 | 141.233.202.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.236.230.94.in-addr.arpa | udp |
| KZ | 178.91.226.62:40500 | udp | |
| US | 8.8.8.8:53 | 62.226.91.178.in-addr.arpa | udp |
| IR | 37.255.208.54:40500 | udp | |
| US | 8.8.8.8:53 | 54.208.255.37.in-addr.arpa | udp |
| IR | 46.167.144.60:40500 | tcp | |
| IR | 151.233.138.163:40500 | udp | |
| US | 8.8.8.8:53 | 163.138.233.151.in-addr.arpa | udp |
| US | 198.163.202.110:40500 | udp | |
| US | 8.8.8.8:53 | 110.202.163.198.in-addr.arpa | udp |
| UZ | 185.203.237.213:40500 | udp | |
| US | 8.8.8.8:53 | 213.237.203.185.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\A23B.exe
| MD5 | 8d8e6c7952a9dc7c0c73911c4dbc5518 |
| SHA1 | 9098da03b33b2c822065b49d5220359c275d5e94 |
| SHA256 | feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278 |
| SHA512 | 91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645 |
C:\Users\Admin\AppData\Local\Temp\mediaget-installer-tmp\preloader.html
| MD5 | a9c237c6645d55240cdda002fef26737 |
| SHA1 | 8a7f5c4cf2fd1c924dd1ec754b1b4c5f65bdda80 |
| SHA256 | 0271d97e4e245364c5c52e66d95baf24b3e00c1c8ea6e2b0da59291115cb6087 |
| SHA512 | 480f28bffb5cb96eaf89f601fbf2de03fc5db04f579108b60de1e5be36ede324fc924f624bc29b42747e96f173a860a6fdbaf6da271b6bffb5b7906d11065555 |
C:\Users\Admin\AppData\Local\Temp\mediaget-installer-tmp\Montserrat-Regular.eot
| MD5 | 2dd0a1de870af34d48d43b7cad82b8d9 |
| SHA1 | 440f4f1fdf17a5c8b426ac6bd4535b8fe5258c7e |
| SHA256 | 057bc6c47c47aaccdf31adc48a6b401f6090a02c28e354099eff80907dc2af32 |
| SHA512 | 83df193ab984037b940876bf6371020b4bb13af74e988abb8ad6a30d48ab6cd9dc5c08937e58abab93278cc85c9d79c373688b2c51c035fdeffed639c933e8ff |
C:\Users\Admin\AppData\Local\Temp\127219754.exe
| MD5 | 06560b5e92d704395bc6dae58bc7e794 |
| SHA1 | fbd3e4ae28620197d1f02bfc24adaf4ddacd2372 |
| SHA256 | 9eaaadf3857e4a3e83f4f78d96ab185213b6528c8e470807f9d16035daadf33d |
| SHA512 | b55b49fc1bd526c47d88fcf8a20fcaed900bfb291f2e3e1186ec196a87127ed24df71385ae04fedcc802c362c4ebf38edfc182013febf4496ddeb66ce5195ee3 |
memory/3280-39-0x0000000005190000-0x00000000051C6000-memory.dmp
memory/3280-40-0x0000000005800000-0x0000000005E28000-memory.dmp
memory/3280-41-0x0000000005770000-0x0000000005792000-memory.dmp
memory/3280-42-0x0000000006060000-0x00000000060C6000-memory.dmp
memory/3280-43-0x00000000060D0000-0x0000000006136000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eigzds2r.nwc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3280-53-0x0000000006140000-0x0000000006494000-memory.dmp
memory/3280-54-0x0000000006710000-0x000000000672E000-memory.dmp
memory/3280-55-0x0000000006740000-0x000000000678C000-memory.dmp
memory/3280-57-0x000000006CEC0000-0x000000006CF0C000-memory.dmp
memory/3280-56-0x00000000076C0000-0x00000000076F2000-memory.dmp
memory/3280-67-0x0000000006CE0000-0x0000000006CFE000-memory.dmp
memory/3280-68-0x0000000007900000-0x00000000079A3000-memory.dmp
memory/3280-69-0x00000000080E0000-0x000000000875A000-memory.dmp
memory/3280-70-0x0000000007A30000-0x0000000007A4A000-memory.dmp
memory/3280-71-0x0000000007AB0000-0x0000000007ABA000-memory.dmp
memory/3280-72-0x0000000007CB0000-0x0000000007D46000-memory.dmp
memory/3280-73-0x0000000007C50000-0x0000000007C61000-memory.dmp
memory/3280-74-0x0000000007C70000-0x0000000007C7E000-memory.dmp
memory/3280-75-0x0000000007C80000-0x0000000007C94000-memory.dmp
memory/3280-76-0x0000000007D70000-0x0000000007D8A000-memory.dmp
memory/3280-77-0x0000000007D50000-0x0000000007D58000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\H6N4U6J0\1[1]
| MD5 | 1fcb78fb6cf9720e9d9494c42142d885 |
| SHA1 | fef9c2e728ab9d56ce9ed28934b3182b6f1d5379 |
| SHA256 | 84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02 |
| SHA512 | cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3 |
C:\Users\Admin\AppData\Local\Temp\412432786.exe
| MD5 | cb8420e681f68db1bad5ed24e7b22114 |
| SHA1 | 416fc65d538d3622f5ca71c667a11df88a927c31 |
| SHA256 | 5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea |
| SHA512 | baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf |
memory/1956-97-0x0000000000A50000-0x0000000000A56000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2142223847.exe
| MD5 | 0c37ee292fec32dba0420e6c94224e28 |
| SHA1 | 012cbdddaddab319a4b3ae2968b42950e929c46b |
| SHA256 | 981d724feebc36777e99513dc061d1f009e589f965c920797285c46d863060d1 |
| SHA512 | 2b60b571c55d0441ba0cfc695f9db5cd12660ebec7effc7e893c3b7a1c6cb6149df487c31b8d748697e260cbc4af29331592b705ea9638f64a711c7a6164628b |
C:\Users\Admin\AppData\Local\Temp\2512715163.exe
| MD5 | 96509ab828867d81c1693b614b22f41d |
| SHA1 | c5f82005dbda43cedd86708cc5fc3635a781a67e |
| SHA256 | a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744 |
| SHA512 | ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca |
C:\Users\Admin\AppData\Local\Temp\2310911154.exe
| MD5 | 13b26b2c7048a92d6a843c1302618fad |
| SHA1 | 89c2dfc01ac12ef2704c7669844ec69f1700c1ca |
| SHA256 | 1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256 |
| SHA512 | d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455 |
memory/1792-123-0x000001B1F0470000-0x000001B1F0492000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 81381b918f615da455b357d286cc3b30 |
| SHA1 | 0dc4516fc3bdb7e1a0f330ca13ac270614462fe7 |
| SHA256 | 3ce2dad7b2cb55344b9abd0954bf8866c65128477bf5a75c55089e657fdf2c63 |
| SHA512 | e0da39cce539237a192cc292046d06952ed514157189609115f9484e5dc639271bae00795bb6bb1054f7bb7d511180cab4eb26454635d3f40d96e6599e010a33 |
memory/1160-137-0x00007FF7C49E0000-0x00007FF7C4F77000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | fee026663fcb662152188784794028ee |
| SHA1 | 3c02a26a9cb16648fad85c6477b68ced3cb0cb45 |
| SHA256 | dbd4136bc342e3e92902ec3a30d165452c82997a7ae24ac90775e42d88959e6b |
| SHA512 | 7b12bd5c8fc4356b9123d6586b4980cf76012663b41c0dab6f6f21567e2f4005c5bcea2cc2158d157e4f801a281f3e04bad3774cddb3122db309ccf662184bd6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d95b08252ed624f6d91b46523f110f29 |
| SHA1 | 17577997bc1fb5d3fbe59be84013165534415dc3 |
| SHA256 | 342ce7c39bf9992d31d4b61ef138b2b084c96c74736ed00bb19aae49be16ca02 |
| SHA512 | 0c4288176d56f4ee6d8f08f568fba07ad859f50a395c39d2afd3baf55d3d29ca065a1ce305d1bd790477c35977c0ffa230543e805622f80a77bcee71b24eb257 |
memory/3208-156-0x000001E079AD0000-0x000001E079AF0000-memory.dmp
memory/4276-155-0x00007FF7D0B20000-0x00007FF7D10B7000-memory.dmp
memory/4032-157-0x00007FF69FDB0000-0x00007FF69FDD9000-memory.dmp
memory/3208-158-0x00007FF664F50000-0x00007FF66573F000-memory.dmp
memory/3208-160-0x00007FF664F50000-0x00007FF66573F000-memory.dmp
memory/4032-159-0x00007FF69FDB0000-0x00007FF69FDD9000-memory.dmp
memory/3208-162-0x00007FF664F50000-0x00007FF66573F000-memory.dmp
memory/3208-169-0x00007FF664F50000-0x00007FF66573F000-memory.dmp
memory/3208-173-0x00007FF664F50000-0x00007FF66573F000-memory.dmp
memory/3208-175-0x00007FF664F50000-0x00007FF66573F000-memory.dmp
memory/3208-177-0x00007FF664F50000-0x00007FF66573F000-memory.dmp