meduza | 23c507d3eb066415ccf2c22491fd949d1b3aba3155648e5c3a53bcbb04444c42

Analysis

max time kernel
152s
max time network
154s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
09-12-2024 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xeno.exe
Size

649.1MB
MD5

3b9c084d35bedcfe4cf7b306ecbf78ac
SHA1

24ae90b623cddc6666d8fca32d279f75a8c293e3
SHA256

d794c2ac1b5a6783f1754e61f9efa20e627e1798319210db326761d7516df88b
SHA512

18b610cea4e05502b86b70008c4bd1f8f414e1d6793a1c3136181f5dfffdb2391c0d31f36dc899b393cb4d3a37ef6b9734c7c8020f13440d10b35d19fabb79b6
SSDEEP

49152:c57nFOOBDBLH/oDfHqvBeROOUKGoAocLFRNAYnsL1C:c57QOBDBbcfHuSOTKGFLbNn+

Score

10^/10

meduza collection discovery evasion execution persistence spyware stealer

Malware Config

Extracted

Family

meduza

45.130.145.152

Attributes

anti_dbg
true
anti_vm
true
build_name
Oxoxox
extensions
.txt;.doc;.docx;.pdf;.xls;.xlsx;.log;.db;.sqlite
grabber_max_size
3.145728e+06
port
15666
self_destruct
true

Signatures

Meduza
Meduza is a crypto wallet and info stealer written in C++.
stealer meduza

Meduza Stealer payload 43 IoCs

resource	yara_rule
behavioral4/memory/2688-34-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-36-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-31-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-30-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-29-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-28-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-37-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-43-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-35-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-38-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-41-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-61-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-60-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-65-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-64-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-67-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-71-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-70-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-66-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-82-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-94-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-113-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-112-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-107-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-121-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-120-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-117-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-116-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-103-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-101-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-100-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-89-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-88-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-85-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-83-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-79-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-77-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-73-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-106-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-95-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-76-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-72-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza
behavioral4/memory/2688-185-0x000002486E5E0000-0x000002486E7DA000-memory.dmp	family_meduza

Meduza family
meduza

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3400	powershell.exe
1840	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 3 IoCs

pid	Process
2688	executor.exe
2928	libs.exe
2208	vzppfnnlsyit.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	executor.exe
Key opened	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	executor.exe
Key opened	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	executor.exe
Key opened	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	executor.exe
Key opened	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	executor.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	api.ipify.org
6	api.ipify.org

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
4592	powercfg.exe
1080	powercfg.exe
4164	powercfg.exe
4964	powercfg.exe
3548	powercfg.exe
1644	powercfg.exe
3764	powercfg.exe
4904	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	libs.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	vzppfnnlsyit.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2208 set thread context of 3020	2208	vzppfnnlsyit.exe	131
PID 2208 set thread context of 340	2208	vzppfnnlsyit.exe	136

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2908	sc.exe
2344	sc.exe
3564	sc.exe
1916	sc.exe
3468	sc.exe
4180	sc.exe
4296	sc.exe
4848	sc.exe
4928	sc.exe
2028	sc.exe
2780	sc.exe
3276	sc.exe
2512	sc.exe
4724	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4372	cmd.exe
1836	PING.EXE

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1836	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1608	Xeno.exe
2688	executor.exe
2688	executor.exe
2928	libs.exe
3400	powershell.exe
3400	powershell.exe
2928	libs.exe
2928	libs.exe
2928	libs.exe
2928	libs.exe
2928	libs.exe
2928	libs.exe
2928	libs.exe
2928	libs.exe
2928	libs.exe
2928	libs.exe
2928	libs.exe
2928	libs.exe
2928	libs.exe
2928	libs.exe
2208	vzppfnnlsyit.exe
1840	powershell.exe
1840	powershell.exe
2208	vzppfnnlsyit.exe
2208	vzppfnnlsyit.exe
2208	vzppfnnlsyit.exe
2208	vzppfnnlsyit.exe
2208	vzppfnnlsyit.exe
2208	vzppfnnlsyit.exe
2208	vzppfnnlsyit.exe
2208	vzppfnnlsyit.exe
2208	vzppfnnlsyit.exe
2208	vzppfnnlsyit.exe
2208	vzppfnnlsyit.exe
2208	vzppfnnlsyit.exe
340	svchost.exe
340	svchost.exe
340	svchost.exe
340	svchost.exe
340	svchost.exe
340	svchost.exe
340	svchost.exe
340	svchost.exe
340	svchost.exe
340	svchost.exe
340	svchost.exe
340	svchost.exe
340	svchost.exe
340	svchost.exe
340	svchost.exe
340	svchost.exe
340	svchost.exe
340	svchost.exe
340	svchost.exe
340	svchost.exe
340	svchost.exe
340	svchost.exe
340	svchost.exe
340	svchost.exe
340	svchost.exe
340	svchost.exe
340	svchost.exe
340	svchost.exe
340	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1608	Xeno.exe
Token: SeIncreaseQuotaPrivilege	1608	Xeno.exe
Token: SeSecurityPrivilege	1608	Xeno.exe
Token: SeTakeOwnershipPrivilege	1608	Xeno.exe
Token: SeLoadDriverPrivilege	1608	Xeno.exe
Token: SeSystemProfilePrivilege	1608	Xeno.exe
Token: SeSystemtimePrivilege	1608	Xeno.exe
Token: SeProfSingleProcessPrivilege	1608	Xeno.exe
Token: SeIncBasePriorityPrivilege	1608	Xeno.exe
Token: SeCreatePagefilePrivilege	1608	Xeno.exe
Token: SeBackupPrivilege	1608	Xeno.exe
Token: SeRestorePrivilege	1608	Xeno.exe
Token: SeShutdownPrivilege	1608	Xeno.exe
Token: SeDebugPrivilege	1608	Xeno.exe
Token: SeSystemEnvironmentPrivilege	1608	Xeno.exe
Token: SeRemoteShutdownPrivilege	1608	Xeno.exe
Token: SeUndockPrivilege	1608	Xeno.exe
Token: SeManageVolumePrivilege	1608	Xeno.exe
Token: 33	1608	Xeno.exe
Token: 34	1608	Xeno.exe
Token: 35	1608	Xeno.exe
Token: 36	1608	Xeno.exe
Token: SeDebugPrivilege	2688	executor.exe
Token: SeImpersonatePrivilege	2688	executor.exe
Token: SeIncreaseQuotaPrivilege	1608	Xeno.exe
Token: SeSecurityPrivilege	1608	Xeno.exe
Token: SeTakeOwnershipPrivilege	1608	Xeno.exe
Token: SeLoadDriverPrivilege	1608	Xeno.exe
Token: SeSystemProfilePrivilege	1608	Xeno.exe
Token: SeSystemtimePrivilege	1608	Xeno.exe
Token: SeProfSingleProcessPrivilege	1608	Xeno.exe
Token: SeIncBasePriorityPrivilege	1608	Xeno.exe
Token: SeCreatePagefilePrivilege	1608	Xeno.exe
Token: SeBackupPrivilege	1608	Xeno.exe
Token: SeRestorePrivilege	1608	Xeno.exe
Token: SeShutdownPrivilege	1608	Xeno.exe
Token: SeDebugPrivilege	1608	Xeno.exe
Token: SeSystemEnvironmentPrivilege	1608	Xeno.exe
Token: SeRemoteShutdownPrivilege	1608	Xeno.exe
Token: SeUndockPrivilege	1608	Xeno.exe
Token: SeManageVolumePrivilege	1608	Xeno.exe
Token: 33	1608	Xeno.exe
Token: 34	1608	Xeno.exe
Token: 35	1608	Xeno.exe
Token: 36	1608	Xeno.exe
Token: SeDebugPrivilege	3400	powershell.exe
Token: SeShutdownPrivilege	4964	powercfg.exe
Token: SeCreatePagefilePrivilege	4964	powercfg.exe
Token: SeShutdownPrivilege	3548	powercfg.exe
Token: SeCreatePagefilePrivilege	3548	powercfg.exe
Token: SeShutdownPrivilege	1644	powercfg.exe
Token: SeCreatePagefilePrivilege	1644	powercfg.exe
Token: SeShutdownPrivilege	3764	powercfg.exe
Token: SeCreatePagefilePrivilege	3764	powercfg.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeLockMemoryPrivilege	340	svchost.exe
Token: SeShutdownPrivilege	4904	powercfg.exe
Token: SeCreatePagefilePrivilege	4904	powercfg.exe
Token: SeShutdownPrivilege	4592	powercfg.exe
Token: SeCreatePagefilePrivilege	4592	powercfg.exe
Token: SeShutdownPrivilege	4164	powercfg.exe
Token: SeCreatePagefilePrivilege	4164	powercfg.exe
Token: SeShutdownPrivilege	1080	powercfg.exe
Token: SeCreatePagefilePrivilege	1080	powercfg.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 2688	1608	Xeno.exe	78
PID 1608 wrote to memory of 2688	1608	Xeno.exe	78
PID 1608 wrote to memory of 2928	1608	Xeno.exe	79
PID 1608 wrote to memory of 2928	1608	Xeno.exe	79
PID 2404 wrote to memory of 4364	2404	cmd.exe	86
PID 2404 wrote to memory of 4364	2404	cmd.exe	86
PID 2836 wrote to memory of 4636	2836	cmd.exe	118
PID 2836 wrote to memory of 4636	2836	cmd.exe	118
PID 2208 wrote to memory of 3020	2208	vzppfnnlsyit.exe	131
PID 2208 wrote to memory of 3020	2208	vzppfnnlsyit.exe	131
PID 2208 wrote to memory of 3020	2208	vzppfnnlsyit.exe	131
PID 2208 wrote to memory of 3020	2208	vzppfnnlsyit.exe	131
PID 2208 wrote to memory of 3020	2208	vzppfnnlsyit.exe	131
PID 2208 wrote to memory of 3020	2208	vzppfnnlsyit.exe	131
PID 2208 wrote to memory of 3020	2208	vzppfnnlsyit.exe	131
PID 2208 wrote to memory of 3020	2208	vzppfnnlsyit.exe	131
PID 2208 wrote to memory of 3020	2208	vzppfnnlsyit.exe	131
PID 2208 wrote to memory of 340	2208	vzppfnnlsyit.exe	136
PID 2208 wrote to memory of 340	2208	vzppfnnlsyit.exe	136
PID 2208 wrote to memory of 340	2208	vzppfnnlsyit.exe	136
PID 2208 wrote to memory of 340	2208	vzppfnnlsyit.exe	136
PID 2208 wrote to memory of 340	2208	vzppfnnlsyit.exe	136
PID 2688 wrote to memory of 4372	2688	executor.exe	137
PID 2688 wrote to memory of 4372	2688	executor.exe	137
PID 4372 wrote to memory of 1836	4372	cmd.exe	139
PID 4372 wrote to memory of 1836	4372	cmd.exe	139

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	executor.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	executor.exe

C:\Users\Admin\AppData\Local\Temp\Xeno.exe
"C:\Users\Admin\AppData\Local\Temp\Xeno.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Users\Admin\AppData\Local\Temp\executor.exe
  "C:\Users\Admin\AppData\Local\Temp\executor.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:2688
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\executor.exe"
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:4372
  - - C:\Windows\system32\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1836
- C:\Users\Admin\AppData\Local\Temp\libs.exe
  "C:\Users\Admin\AppData\Local\Temp\libs.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2928
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4364
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3468
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4180
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2512
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:2028
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2344
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4964
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3548
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3764
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1644
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "LBFXRZGB"
    3⤵
    - Launches sc.exe
    PID:3564
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "LBFXRZGB" binpath= "C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:2780
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:4724
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "LBFXRZGB"
    3⤵
    - Launches sc.exe
    PID:1916

C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exe
C:\ProgramData\spvpfblnegdb\vzppfnnlsyit.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4636
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4296
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2908
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4848
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:4928
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:3276
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4904
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4592
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4164
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1080
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:3020
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xza3a44d.jds.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\executor.exe

Filesize
3.2MB

MD5
73912751e057519963f46c41303b80be

SHA1
c427938e79a4b1079599445790628bf3f5da923b

SHA256
9d28797efffc22cdbc2f58ef13897a99d3b287c5a493e5880d9c80b91f334105

SHA512
792c98d634a81b651d2e5089d069cab46fecbe8f5d23a8e528fb702644e85737941b7c1eef861468236dd064876577782bdfbd07836db2deb40965c2e1127e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\libs.exe

Filesize
5.0MB

MD5
769ea3d0e0cf22eaa7526a89c0f438cf

SHA1
5221042ad60744e2bdcf8319ff00bdbfc253eb59

SHA256
b369c94a835882a2267ff0a7a4ebb9a91621c3f134f63010d491121a7827b448

SHA512
d50130430911f16f4d2f7e4d3552f51ceb74601eda13cfbc374c9327e11d7865bdfc49803b54cf7b595b89996db28d3173d7a22993e968fd9a1a080c6b434c9a

Download Submit
memory/1608-0-0x00007FFE1C583000-0x00007FFE1C585000-memory.dmp

Filesize
8KB

Download
memory/1608-1-0x0000028FCDE30000-0x0000028FCEE30000-memory.dmp

Filesize
16.0MB

Download
memory/1608-2-0x00007FFE1C580000-0x00007FFE1D042000-memory.dmp

Filesize
10.8MB

Download
memory/1608-3-0x00007FFE1C580000-0x00007FFE1D042000-memory.dmp

Filesize
10.8MB

Download
memory/1608-4-0x00007FFE1C583000-0x00007FFE1C585000-memory.dmp

Filesize
8KB

Download
memory/1608-5-0x00007FFE1C580000-0x00007FFE1D042000-memory.dmp

Filesize
10.8MB

Download
memory/1608-14-0x0000028FF6B60000-0x0000028FF6B82000-memory.dmp

Filesize
136KB

Download
memory/1608-15-0x0000028FF6970000-0x0000028FF697A000-memory.dmp

Filesize
40KB

Download
memory/1608-16-0x00007FFE1C580000-0x00007FFE1D042000-memory.dmp

Filesize
10.8MB

Download
memory/1608-115-0x00007FFE1C580000-0x00007FFE1D042000-memory.dmp

Filesize
10.8MB

Download
memory/1840-151-0x0000012F6B860000-0x0000012F6B87C000-memory.dmp

Filesize
112KB

Download
memory/1840-159-0x0000012F6BA90000-0x0000012F6BA9A000-memory.dmp

Filesize
40KB

Download
memory/1840-158-0x0000012F6BA80000-0x0000012F6BA86000-memory.dmp

Filesize
24KB

Download
memory/1840-157-0x0000012F6B950000-0x0000012F6B958000-memory.dmp

Filesize
32KB

Download
memory/1840-156-0x0000012F6BAA0000-0x0000012F6BABA000-memory.dmp

Filesize
104KB

Download
memory/1840-155-0x0000012F6B940000-0x0000012F6B94A000-memory.dmp

Filesize
40KB

Download
memory/1840-154-0x0000012F6BA60000-0x0000012F6BA7C000-memory.dmp

Filesize
112KB

Download
memory/1840-153-0x0000012F6B850000-0x0000012F6B85A000-memory.dmp

Filesize
40KB

Download
memory/1840-152-0x0000012F6B880000-0x0000012F6B933000-memory.dmp

Filesize
716KB

Download
memory/2688-71-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-101-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-35-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-38-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-41-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-61-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-60-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-65-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-64-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-67-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-37-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-70-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-66-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-82-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-94-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-113-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-112-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-107-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-121-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-120-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-117-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-116-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-103-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-43-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-100-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-89-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-88-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-85-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-83-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-79-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-77-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-73-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-106-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-95-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-76-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-26-0x000002486E510000-0x000002486E511000-memory.dmp

Filesize
4KB

Download
memory/2688-28-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-29-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-30-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-31-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-36-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-34-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-25-0x00007FFE2C0E0000-0x00007FFE2C2E9000-memory.dmp

Filesize
2.0MB

Download
memory/2688-72-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download
memory/2688-185-0x000002486E5E0000-0x000002486E7DA000-memory.dmp

Filesize
2.0MB

Download