rhadamanthys | e0745056c058f048f62d5a4793f01d333b6424787d9b749554bd8ef0c601b2e3

Analysis

max time kernel
117s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24/12/2024, 14:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e0745056c058f048f62d5a4793f01d333b6424787d9b749554bd8ef0c601b2e3.exe
Size

803.3MB
MD5

b3eeca164c17ac49a4331b958581a027
SHA1

203546af9583d10bbcabaeb6a920b34fc9b6c403
SHA256

e0745056c058f048f62d5a4793f01d333b6424787d9b749554bd8ef0c601b2e3
SHA512

643e76ca3ecebe59f5093a64e35f486a7b0fba41d21dacc551276724d4f2ce1bf589add02d6c87428672b9f78a5342bb4063e928eae18f8e872bcafe1a9a7a9a
SSDEEP

196608:cXhlI9IqtZdoOzESU2oxIqtU6u5rP8g4fVd1HDqEvwtG8KZmX2R:ou9Iq2gGxFtU6tgUVrHuEVtZG2

Score

10^/10

rhadamanthys xmrig discovery evasion execution miner persistence stealer themida trojan

Malware Config

Extracted

Family

rhadamanthys

https://82.115.223.156:4924/d3a57c7e95391394/necb5kh1.3b9m5

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2372 created 1208	2372	Oral.pif	21

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Zerus.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rzqvwleexlar.exe

XMRig Miner payload 19 IoCs

miner

resource	yara_rule
behavioral1/memory/2100-66-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2100-68-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2100-70-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2100-73-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2100-75-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2100-69-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2100-72-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2100-71-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2100-67-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2100-79-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2100-80-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2100-83-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2100-82-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2100-81-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2100-85-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2100-86-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2100-106-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2100-107-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2100-105-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3044	powershell.exe
2724	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rzqvwleexlar.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Zerus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Zerus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rzqvwleexlar.exe

Executes dropped EXE 5 IoCs

pid	Process
3020	Zerus.exe
1364	AnalysesTolerance.exe
2372	Oral.pif
480	Process not Found
772	rzqvwleexlar.exe

Loads dropped DLL 5 IoCs

pid	Process
2360	JaffaCakes118_e0745056c058f048f62d5a4793f01d333b6424787d9b749554bd8ef0c601b2e3.exe
2360	JaffaCakes118_e0745056c058f048f62d5a4793f01d333b6424787d9b749554bd8ef0c601b2e3.exe
2360	JaffaCakes118_e0745056c058f048f62d5a4793f01d333b6424787d9b749554bd8ef0c601b2e3.exe
1956	cmd.exe
480	Process not Found

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/3020-16-0x0000000140000000-0x0000000140B0B000-memory.dmp	themida
behavioral1/memory/3020-49-0x0000000140000000-0x0000000140B0B000-memory.dmp	themida
behavioral1/memory/772-53-0x0000000140000000-0x0000000140B0B000-memory.dmp	themida
behavioral1/memory/772-77-0x0000000140000000-0x0000000140B0B000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Zerus.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rzqvwleexlar.exe

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2452	powercfg.exe
1340	powercfg.exe
2420	powercfg.exe
2620	powercfg.exe
2668	powercfg.exe
2972	powercfg.exe
3012	powercfg.exe
1016	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	rzqvwleexlar.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Zerus.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2364	tasklist.exe
2036	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3020	Zerus.exe
772	rzqvwleexlar.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 772 set thread context of 2140	772	rzqvwleexlar.exe	102
PID 772 set thread context of 2100	772	rzqvwleexlar.exe	105

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2792	sc.exe
1164	sc.exe
1996	sc.exe
3056	sc.exe
1716	sc.exe
2864	sc.exe
1752	sc.exe
1812	sc.exe
2836	sc.exe
3064	sc.exe
2540	sc.exe
1728	sc.exe
1772	sc.exe
2236	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dialer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e0745056c058f048f62d5a4793f01d333b6424787d9b749554bd8ef0c601b2e3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oral.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnalysesTolerance.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2992	PING.EXE

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 60d068f60f56db01	powershell.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2992	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3020	Zerus.exe
3044	powershell.exe
3020	Zerus.exe
3020	Zerus.exe
3020	Zerus.exe
3020	Zerus.exe
3020	Zerus.exe
3020	Zerus.exe
3020	Zerus.exe
3020	Zerus.exe
3020	Zerus.exe
3020	Zerus.exe
3020	Zerus.exe
3020	Zerus.exe
2372	Oral.pif
2372	Oral.pif
2372	Oral.pif
2372	Oral.pif
3020	Zerus.exe
3020	Zerus.exe
3020	Zerus.exe
772	rzqvwleexlar.exe
2724	powershell.exe
772	rzqvwleexlar.exe
772	rzqvwleexlar.exe
772	rzqvwleexlar.exe
772	rzqvwleexlar.exe
772	rzqvwleexlar.exe
772	rzqvwleexlar.exe
772	rzqvwleexlar.exe
772	rzqvwleexlar.exe
772	rzqvwleexlar.exe
772	rzqvwleexlar.exe
772	rzqvwleexlar.exe
772	rzqvwleexlar.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2372	Oral.pif
2372	Oral.pif
1912	dialer.exe
1912	dialer.exe
2100	explorer.exe
1912	dialer.exe
1912	dialer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe
2100	explorer.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeShutdownPrivilege	2668	powercfg.exe
Token: SeShutdownPrivilege	2972	powercfg.exe
Token: SeShutdownPrivilege	2620	powercfg.exe
Token: SeShutdownPrivilege	3012	powercfg.exe
Token: SeDebugPrivilege	2364	tasklist.exe
Token: SeDebugPrivilege	2036	tasklist.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeShutdownPrivilege	2420	powercfg.exe
Token: SeShutdownPrivilege	1340	powercfg.exe
Token: SeShutdownPrivilege	2452	powercfg.exe
Token: SeLockMemoryPrivilege	2100	explorer.exe
Token: SeShutdownPrivilege	1016	powercfg.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2372	Oral.pif
2372	Oral.pif
2372	Oral.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2372	Oral.pif
2372	Oral.pif
2372	Oral.pif

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 3020	2360	JaffaCakes118_e0745056c058f048f62d5a4793f01d333b6424787d9b749554bd8ef0c601b2e3.exe	31
PID 2360 wrote to memory of 3020	2360	JaffaCakes118_e0745056c058f048f62d5a4793f01d333b6424787d9b749554bd8ef0c601b2e3.exe	31
PID 2360 wrote to memory of 3020	2360	JaffaCakes118_e0745056c058f048f62d5a4793f01d333b6424787d9b749554bd8ef0c601b2e3.exe	31
PID 2360 wrote to memory of 3020	2360	JaffaCakes118_e0745056c058f048f62d5a4793f01d333b6424787d9b749554bd8ef0c601b2e3.exe	31
PID 2360 wrote to memory of 1364	2360	JaffaCakes118_e0745056c058f048f62d5a4793f01d333b6424787d9b749554bd8ef0c601b2e3.exe	32
PID 2360 wrote to memory of 1364	2360	JaffaCakes118_e0745056c058f048f62d5a4793f01d333b6424787d9b749554bd8ef0c601b2e3.exe	32
PID 2360 wrote to memory of 1364	2360	JaffaCakes118_e0745056c058f048f62d5a4793f01d333b6424787d9b749554bd8ef0c601b2e3.exe	32
PID 2360 wrote to memory of 1364	2360	JaffaCakes118_e0745056c058f048f62d5a4793f01d333b6424787d9b749554bd8ef0c601b2e3.exe	32
PID 2784 wrote to memory of 2240	2784	cmd.exe	42
PID 2784 wrote to memory of 2240	2784	cmd.exe	42
PID 2784 wrote to memory of 2240	2784	cmd.exe	42
PID 1364 wrote to memory of 1704	1364	AnalysesTolerance.exe	61
PID 1364 wrote to memory of 1704	1364	AnalysesTolerance.exe	61
PID 1364 wrote to memory of 1704	1364	AnalysesTolerance.exe	61
PID 1364 wrote to memory of 1704	1364	AnalysesTolerance.exe	61
PID 1704 wrote to memory of 1956	1704	cmd.exe	63
PID 1704 wrote to memory of 1956	1704	cmd.exe	63
PID 1704 wrote to memory of 1956	1704	cmd.exe	63
PID 1704 wrote to memory of 1956	1704	cmd.exe	63
PID 1956 wrote to memory of 2364	1956	cmd.exe	64
PID 1956 wrote to memory of 2364	1956	cmd.exe	64
PID 1956 wrote to memory of 2364	1956	cmd.exe	64
PID 1956 wrote to memory of 2364	1956	cmd.exe	64
PID 1956 wrote to memory of 568	1956	cmd.exe	65
PID 1956 wrote to memory of 568	1956	cmd.exe	65
PID 1956 wrote to memory of 568	1956	cmd.exe	65
PID 1956 wrote to memory of 568	1956	cmd.exe	65
PID 1956 wrote to memory of 2036	1956	cmd.exe	67
PID 1956 wrote to memory of 2036	1956	cmd.exe	67
PID 1956 wrote to memory of 2036	1956	cmd.exe	67
PID 1956 wrote to memory of 2036	1956	cmd.exe	67
PID 1956 wrote to memory of 2024	1956	cmd.exe	68
PID 1956 wrote to memory of 2024	1956	cmd.exe	68
PID 1956 wrote to memory of 2024	1956	cmd.exe	68
PID 1956 wrote to memory of 2024	1956	cmd.exe	68
PID 1956 wrote to memory of 1960	1956	cmd.exe	69
PID 1956 wrote to memory of 1960	1956	cmd.exe	69
PID 1956 wrote to memory of 1960	1956	cmd.exe	69
PID 1956 wrote to memory of 1960	1956	cmd.exe	69
PID 1956 wrote to memory of 2796	1956	cmd.exe	70
PID 1956 wrote to memory of 2796	1956	cmd.exe	70
PID 1956 wrote to memory of 2796	1956	cmd.exe	70
PID 1956 wrote to memory of 2796	1956	cmd.exe	70
PID 1956 wrote to memory of 2004	1956	cmd.exe	71
PID 1956 wrote to memory of 2004	1956	cmd.exe	71
PID 1956 wrote to memory of 2004	1956	cmd.exe	71
PID 1956 wrote to memory of 2004	1956	cmd.exe	71
PID 1956 wrote to memory of 2372	1956	cmd.exe	72
PID 1956 wrote to memory of 2372	1956	cmd.exe	72
PID 1956 wrote to memory of 2372	1956	cmd.exe	72
PID 1956 wrote to memory of 2372	1956	cmd.exe	72
PID 1956 wrote to memory of 2992	1956	cmd.exe	73
PID 1956 wrote to memory of 2992	1956	cmd.exe	73
PID 1956 wrote to memory of 2992	1956	cmd.exe	73
PID 1956 wrote to memory of 2992	1956	cmd.exe	73
PID 2856 wrote to memory of 1132	2856	cmd.exe	80
PID 2856 wrote to memory of 1132	2856	cmd.exe	80
PID 2856 wrote to memory of 1132	2856	cmd.exe	80
PID 1540 wrote to memory of 876	1540	cmd.exe	89
PID 1540 wrote to memory of 876	1540	cmd.exe	89
PID 1540 wrote to memory of 876	1540	cmd.exe	89
PID 772 wrote to memory of 2140	772	rzqvwleexlar.exe	102
PID 772 wrote to memory of 2140	772	rzqvwleexlar.exe	102
PID 772 wrote to memory of 2140	772	rzqvwleexlar.exe	102

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1208
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e0745056c058f048f62d5a4793f01d333b6424787d9b749554bd8ef0c601b2e3.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e0745056c058f048f62d5a4793f01d333b6424787d9b749554bd8ef0c601b2e3.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Users\Admin\AppData\Roaming\Zerus.exe
    C:\Users\Admin\AppData\Roaming\Zerus.exe
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:3020
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:2240
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:2836
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:3064
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:2792
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:1164
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:2540
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2620
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2668
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2972
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:3012
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "LWIJOCRH"
      4⤵
      Launches sc.exe
      PID:3056
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "LWIJOCRH" binpath= "C:\ProgramData\stavhmmfabee\rzqvwleexlar.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:1716
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:1996
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "LWIJOCRH"
      4⤵
      Launches sc.exe
      PID:2864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Zerus.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:1132
- - C:\Users\Admin\AppData\Roaming\AnalysesTolerance.exe
    C:\Users\Admin\AppData\Roaming\AnalysesTolerance.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /k cmd < Sh & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1704
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1956
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:568
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c mkdir 29850
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1960
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Ralph + Provides + Confirmation + Labs + Potential 29850\Oral.pif
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2796
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Although + Acc + Armenia 29850\K
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2004
      - C:\Users\Admin\AppData\Local\Temp\4603\29850\Oral.pif
        
        29850\Oral.pif 29850\K
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2372
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 localhost
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2992
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1912

C:\ProgramData\stavhmmfabee\rzqvwleexlar.exe
C:\ProgramData\stavhmmfabee\rzqvwleexlar.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:772
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:876
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1752
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1728
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1812
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1772
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2236
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1016
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1340
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2140
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4603\29850\K

Filesize
1.0MB

MD5
835e6f2b8c59a41a6ba6e9a3478b315d

SHA1
e903364a2f83e1f2a47a949ebb6f9cf26954c845

SHA256
de87bd7dc0a5f106b8206b2aab6b9a8dfaa14385fc13e651f553cf9e420d2eec

SHA512
00a99581301636bc9eaf15e4992c06e164bb11b9cee33f87e908ee1f730c1ab24d59dc3b19f6d72066bb0064a7ff003ef86a892ea7f348cf57001304b91cd411

Download Submit
C:\Users\Admin\AppData\Local\Temp\4603\29850\Oral.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4603\Acc

Filesize
431KB

MD5
c1ca9f8fd5e804b7a960f1af79b9bba1

SHA1
3fabf712c56399a3514dd2c7cc9689665fa8dad8

SHA256
7a72b36ce1e214c0fe998d69e3d8aed12da33f3b74697ef5425f94d162351f3d

SHA512
7b4ae1a5e88800c39ef043b0d9ebd073d20f8b50330d696db4990a112e7755bebf3e6425079cdc5e05a308f1de5741a0d857189570fd811a7917c1ff7ddfacdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\4603\Although

Filesize
460KB

MD5
88471ae808b89829170152aa9bd186fe

SHA1
e61430202cabeb36a442aedc5c1037f282fc5b02

SHA256
79c6a81fee59317a1d2d11782cb5efed1acf2e857805824da8c1089d1c572dee

SHA512
18d893432a4119eba80d6bf3d2bc1e19f075eac61928e1b4a6d0ff6034fae9c7d5f68eef0eab8e2e262fdc9ee29f07ae5fe81fa417e8535f8ec65beebb61137a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4603\Armenia

Filesize
135KB

MD5
534ba9cfaa75db1323d78082a0ad5df5

SHA1
218f5a81b893525212016a0ed8b3e9ce8058f521

SHA256
5c05c929e1eb0976dd6d8948e6e8628576e5905630af222c45bb3b3d4b301278

SHA512
3403edfae33b42ae475f484fff87bf1ab22c1541a71a763293491ba4f0221ed4ea06bf9cdaa3d9594fcee8e4f52a205aebd9e897a8de1960cb08fe5840e46519

Download Submit
C:\Users\Admin\AppData\Local\Temp\4603\Confirmation

Filesize
177KB

MD5
9f0c089823a6b23aa9b7c545d67bfa4a

SHA1
dd2c8a324fa6904abb65f546f3db493e3b4213c0

SHA256
99f2fa72478c3fc7a8711555a11e41611d34d4d914c54a8fcc4b9e0d28cbf8a1

SHA512
199d1ed63f506fed34c535ce86c4cc7f3b3ef17002b08c82d1f0867ff6d51142b3192f38b5f1569c80673da5096f82de0b2c4513356e9dc3fdc56e08c59a7635

Download Submit
C:\Users\Admin\AppData\Local\Temp\4603\Labs

Filesize
176KB

MD5
b2c6da73a033cdd6bf6ef53d1ab265cc

SHA1
9ea6001e863f9487ec0868777e126716aab7106a

SHA256
fde6743c236eacbcc28a42f82deec0a600958cf83ce6158932d80526e4b264b3

SHA512
4281c0a47b4c02d9fcd9775b1acc803882948a6bd1cecd19084b7b3716726f45f3527a2945542e83480144591ea2a83e2afcfa2f6463467536c9604485ae502b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4603\Potential

Filesize
131KB

MD5
c8d9cb0997f6bab5bf8d480121c75d82

SHA1
f9a34641e2aa1c9301fee18cb7b263155757b11d

SHA256
d8f727acdd144941b51b5b56add2b67e1fc07ccbf9e7ed5aaa03c798cbdb0c5a

SHA512
1bb9a3efed03acff37ac09b7fd40ff4ce7e19edc02b58b24b731c586d6740c56674453db3d083ed7b40dc9b294246cfcbb1c2fcefbdb793a0a3eba9a679e3f9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4603\Provides

Filesize
270KB

MD5
cb7d63035002a9f21189020e4da9f05c

SHA1
f741b0cecc0a68af5ac3b5ceae751b579413be41

SHA256
278b4f045a61086daa4a9fbe57abc0612c0843d0cc4349c514a7446d1a6190da

SHA512
4c622f8216274d76ec7d816be9e8c1bc04da52020f163d5603b32f2f456d10c243ec51c607161812dee6c26e739c781fe823d9cbfe1d04e6d118b7e822e10c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\4603\Ralph

Filesize
170KB

MD5
296cc0ff0ce6646c7cd2a82f92f8e75b

SHA1
606d4200639e413c5ca18d2ba3a527c4803ff72a

SHA256
b47d8cd950ff9e14b34fe7205d13a2b68b207a68e137d1670f4f89452b55ae13

SHA512
29e6c078ca097d48494a50f8e9fda7e4bc9ff67bf39f16ff6a83382717984973b9b1385c3e729374c5496304435fc1e71f2a3648b13aa3b9f036ad91fbb742ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\4603\Sh

Filesize
13KB

MD5
86388e68a8d21dace8bc48367f9a6a7f

SHA1
458f8e4aad5cea7f0a79a718c6d4a5b1ac77f6aa

SHA256
810e2affe30a30145e0a1fb149cc6cf1892b381059f085f9cc406198927e2b9c

SHA512
3fe8aed7393d18d42afeb64573f19b5d202772cea1fe44c6234e7efed5cb1d7f062b9c936c7aaed245bf0cbe74834cfebb8ba0fb4d526f3b5db1a0ab6b3f64c6

Download Submit
C:\Users\Admin\AppData\Roaming\AnalysesTolerance.exe

Filesize
1.6MB

MD5
288f2f274f6e6571c26f2536ae452d0d

SHA1
d9d6162274d5398cdfa948f9fb00af3c8a41997f

SHA256
e61a8a8ba16b5c4917735c48634c87751570bb3ca450448b2c0dded458b7a6e6

SHA512
927d5d95f995228b49b02f603d8948c120f7320708b51362be9966a758b2eb60737d651528ac9c45cd1e8b65f06049e914020122ce891376f7ad6a830164f9f0

Download Submit
memory/772-77-0x0000000140000000-0x0000000140B0B000-memory.dmp

Filesize
11.0MB

Download
memory/772-53-0x0000000140000000-0x0000000140B0B000-memory.dmp

Filesize
11.0MB

Download
memory/1364-84-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1364-17-0x0000000077690000-0x0000000077839000-memory.dmp

Filesize
1.7MB

Download
memory/1364-78-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1912-99-0x00000000000C0000-0x00000000000C9000-memory.dmp

Filesize
36KB

Download
memory/1912-101-0x0000000000690000-0x0000000000A90000-memory.dmp

Filesize
4.0MB

Download
memory/1912-102-0x0000000077690000-0x0000000077839000-memory.dmp

Filesize
1.7MB

Download
memory/1912-104-0x0000000077070000-0x00000000770B7000-memory.dmp

Filesize
284KB

Download
memory/2100-68-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2100-83-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2100-65-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2100-105-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2100-107-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2100-106-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2100-86-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2100-85-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2100-81-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2100-82-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2100-66-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2100-80-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2100-70-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2100-73-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2100-75-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2100-69-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2100-76-0x00000000002F0000-0x0000000000310000-memory.dmp

Filesize
128KB

Download
memory/2100-72-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2100-71-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2100-67-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2100-79-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2140-63-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2140-57-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2140-58-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2140-61-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2140-60-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2140-59-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2360-10-0x0000000002ED0000-0x00000000039DB000-memory.dmp

Filesize
11.0MB

Download
memory/2360-7-0x0000000002ED0000-0x00000000039DB000-memory.dmp

Filesize
11.0MB

Download
memory/2372-89-0x0000000003A90000-0x0000000003B18000-memory.dmp

Filesize
544KB

Download
memory/2372-88-0x0000000003A90000-0x0000000003B18000-memory.dmp

Filesize
544KB

Download
memory/2372-87-0x0000000003A90000-0x0000000003B18000-memory.dmp

Filesize
544KB

Download
memory/2372-91-0x0000000003A90000-0x0000000003B18000-memory.dmp

Filesize
544KB

Download
memory/2372-93-0x0000000003A90000-0x0000000003B18000-memory.dmp

Filesize
544KB

Download
memory/2372-92-0x0000000003A90000-0x0000000003B18000-memory.dmp

Filesize
544KB

Download
memory/2372-94-0x0000000003B20000-0x0000000003F20000-memory.dmp

Filesize
4.0MB

Download
memory/2372-95-0x0000000003B20000-0x0000000003F20000-memory.dmp

Filesize
4.0MB

Download
memory/2372-96-0x0000000077690000-0x0000000077839000-memory.dmp

Filesize
1.7MB

Download
memory/2372-98-0x0000000077070000-0x00000000770B7000-memory.dmp

Filesize
284KB

Download
memory/2724-55-0x0000000019D70000-0x000000001A052000-memory.dmp

Filesize
2.9MB

Download
memory/2724-56-0x0000000000A60000-0x0000000000A68000-memory.dmp

Filesize
32KB

Download
memory/3020-16-0x0000000140000000-0x0000000140B0B000-memory.dmp

Filesize
11.0MB

Download
memory/3020-13-0x00000000776E0000-0x00000000776E2000-memory.dmp

Filesize
8KB

Download
memory/3020-49-0x0000000140000000-0x0000000140B0B000-memory.dmp

Filesize
11.0MB

Download
memory/3044-22-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/3044-23-0x00000000027A0000-0x00000000027A8000-memory.dmp

Filesize
32KB

Download